diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 2d21a68dd9..04fefbcdb6 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -20520,6 +20520,11 @@ "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf", "redirect_document_id": true }, + { + "source_path": "windows/client-management/mdm/applocker-xsd.md", + "redirect_url": "/windows/client-management/mdm/applocker-csp#policy-xsd-schema", + "redirect_document_id": true + }, { "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md", "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard", diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index a21b6f8223..f9a7b26caf 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -1,223 +1,936 @@ --- title: AppLocker CSP -description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed. -ms.reviewer: +description: Learn more about the AppLocker CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/23/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/19/2019 +ms.topic: reference --- + + + # AppLocker CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked. + + The following example shows the AppLocker configuration service provider in tree format. -```console -./Vendor/MSFT -AppLocker -----ApplicationLaunchRestrictions ---------Grouping -------------EXE -----------------Policy -----------------EnforcementMode -----------------NonInteractiveProcessEnforcement -------------MSI -----------------Policy -----------------EnforcementMode -------------Script -----------------Policy -----------------EnforcementMode -------------StoreApps -----------------Policy -----------------EnforcementMode -------------DLL -----------------Policy -----------------EnforcementMode -----------------NonInteractiveProcessEnforcement -------------CodeIntegrity -----------------Policy -----EnterpriseDataProtection ---------Grouping -------------EXE -----------------Policy -------------StoreApps -----------------Policy -----LaunchControl ---------Grouping -------------EXE -----------------Policy -----------------EnforcementMode -------------StoreApps -----------------Policy -----------------EnforcementMode -----FamilySafety ---------Grouping -------------EXE -----------------Policy -----------------EnforcementMode -------------StoreApps -----------------Policy -----------------EnforcementMode +```text +./Vendor/MSFT/AppLocker +--- ApplicationLaunchRestrictions +------ {Grouping} +--------- CodeIntegrity +------------ Policy +--------- DLL +------------ EnforcementMode +------------ NonInteractiveProcessEnforcement +------------ Policy +--------- EXE +------------ EnforcementMode +------------ NonInteractiveProcessEnforcement +------------ Policy +--------- MSI +------------ EnforcementMode +------------ Policy +--------- Script +------------ EnforcementMode +------------ Policy +--------- StoreApps +------------ EnforcementMode +------------ Policy +--- EnterpriseDataProtection +------ {Grouping} +--------- EXE +------------ Policy +--------- StoreApps +------------ Policy +--- FamilySafety +------ {Grouping} +--------- EXE +------------ EnforcementMode +------------ Policy +--------- StoreApps +------------ EnforcementMode +------------ Policy +--- LaunchControl +------ {Grouping} +--------- EXE +------------ EnforcementMode +------------ Policy +--------- StoreApps +------------ EnforcementMode +------------ Policy ``` -**./Vendor/MSFT/AppLocker** -Defines the root node for the AppLocker configuration service provider. + -**AppLocker/ApplicationLaunchRestrictions** + +## ApplicationLaunchRestrictions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions +``` + + + + Defines restrictions for applications. + + + > [!NOTE] -> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. +> When you create a list of allowed apps, all [inbox apps](#inbox-apps-and-components) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. > > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node. > [!NOTE] -> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI. +> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the `AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy` URI. + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define. -Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + +**Description framework properties**: -Supported operations are Get, Add, Delete, and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE** -Defines restrictions for launching executable applications. + + + -Supported operations are Get, Add, Delete, and Replace. + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + +### ApplicationLaunchRestrictions/{Grouping} -Data type is string. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Get, Add, Delete, and Replace. + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping} +``` + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + -The data type is a string. + + + -Supported operations are Get, Add, Delete, and Replace. + +**Description framework properties**: -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/NonInteractiveProcessEnforcement** -The data type is a string. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + -Supported operations are Add, Delete, Get, and Replace. + + + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI** -Defines restrictions for executing Windows Installer files. + -Supported operations are Get, Add, Delete, and Replace. + +#### ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Data type is string. + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity +``` + -Supported operations are Get, Add, Delete, and Replace. + + + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + -The data type is a string. + +**Description framework properties**: -Supported operations are Get, Add, Delete, and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script** -Defines restrictions for running scripts. + + + -Supported operations are Get, Add, Delete, and Replace. + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + +##### ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy -Data type is string. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Get, Add, Delete, and Replace. + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy +``` + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). - -The data type is a string. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps** -Defines restrictions for running apps from the Microsoft Store. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. - -Data type is string. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). - -The data type is a string. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL** -Defines restrictions for processing DLL files. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. - -Data type is string. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). - -The data type is a string. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/NonInteractiveProcessEnforcement** -The data type is a string. - -Supported operations are Add, Delete, Get, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity** -This node is only supported on the desktop. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. - -Data type is Base64. - -Supported operations are Get, Add, Delete, and Replace. + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. This will need to be Base64 encoded. + + + > [!NOTE] -> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP. +> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker CSP. + -**AppLocker/EnterpriseDataProtection** -Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | + + + + + + + + + +#### ApplicationLaunchRestrictions/{Grouping}/DLL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL +``` + + + + +Defines restrictions for processing DLL files. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/DLL/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/DLL/NonInteractiveProcessEnforcement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/NonInteractiveProcessEnforcement +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/DLL/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### ApplicationLaunchRestrictions/{Grouping}/EXE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE +``` + + + + +Defines restrictions for launching executable applications. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/EXE/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/EXE/NonInteractiveProcessEnforcement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/NonInteractiveProcessEnforcement +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/EXE/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### ApplicationLaunchRestrictions/{Grouping}/MSI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI +``` + + + + +Defines restrictions for executing Windows Installer files. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/MSI/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/MSI/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### ApplicationLaunchRestrictions/{Grouping}/Script + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script +``` + + + + +Defines restrictions for running scripts. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/Script/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/Script/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### ApplicationLaunchRestrictions/{Grouping}/StoreApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps +``` + + + + +Defines restrictions for running apps from the Microsoft Store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/StoreApps/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +## EnterpriseDataProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection +``` + + + + +Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in ./Device/Vendor/MSFT/EnterpriseDataProtection in EnterpriseDataProtection CSP. + + + + In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: @@ -238,52 +951,1316 @@ Exempt examples: Additional information: - [Recommended blocklist for Windows Information Protection](#recommended-blocklist-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. + -**AppLocker/EnterpriseDataProtection/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define. -Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + +**Description framework properties**: -Supported operations are Get, Add, Delete, and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**AppLocker/EnterpriseDataProtection/_Grouping_/EXE** + + + + + + + +### EnterpriseDataProtection/{Grouping} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping} +``` + + + + +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### EnterpriseDataProtection/{Grouping}/EXE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/EXE +``` + + + + Defines restrictions for launching executable applications. + -Supported operations are Get, Add, Delete, and Replace. + + + -**AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy** + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### EnterpriseDataProtection/{Grouping}/EXE/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/EXE/Policy +``` + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + -Data type is string. + + + -Supported operations are Get, Add, Delete, and Replace. + +**Description framework properties**: -**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### EnterpriseDataProtection/{Grouping}/StoreApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/StoreApps +``` + + + + Defines restrictions for running apps from the Microsoft Store. + -Supported operations are Get, Add, Delete, and Replace. + + + -**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy** + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### EnterpriseDataProtection/{Grouping}/StoreApps/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/StoreApps/Policy +``` + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + -Data type is string. + + + -Supported operations are Get, Add, Delete, and Replace. + +**Description framework properties**: -1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive). -2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + - The **Device Portal** page opens on your browser. + + + - ![device portal screenshot.](images/applocker-screenshot1.png) + -3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. -4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps. + +## FamilySafety - ![device portal app manager.](images/applocker-screenshot3.png) + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. + +```Device +./Vendor/MSFT/AppLocker/FamilySafety +``` + - ![app manager.](images/applocker-screenshot2.png) + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### FamilySafety/{Grouping} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping} +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### FamilySafety/{Grouping}/EXE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### FamilySafety/{Grouping}/EXE/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### FamilySafety/{Grouping}/EXE/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### FamilySafety/{Grouping}/StoreApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### FamilySafety/{Grouping}/StoreApps/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### FamilySafety/{Grouping}/StoreApps/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +## LaunchControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### LaunchControl/{Grouping} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping} +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### LaunchControl/{Grouping}/EXE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### LaunchControl/{Grouping}/EXE/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### LaunchControl/{Grouping}/EXE/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### LaunchControl/{Grouping}/StoreApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### LaunchControl/{Grouping}/StoreApps/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### LaunchControl/{Grouping}/StoreApps/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + + +## Policy XSD Schema + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## File Publisher Rules The following table shows the mapping of information to the AppLocker publisher rule field. @@ -301,50 +2278,9 @@ Here's an example AppLocker publisher rule: ``` -You can get the publisher name and product name of apps using a web API. - -**To find publisher and product name for Microsoft apps in Microsoft Store for Business:** - -1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. - -2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**. - -3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. - -Request URI: - -```http -https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata -``` - -Here's the example for Microsoft OneNote: - -Request - -```http -https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata -``` - -Result - -```json -{ - "packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe", - "packageIdentityName": "Microsoft.Office.OneNote", - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" -} -``` - -|Result data|AppLocker publisher rule field| -|--- |--- | -|packageIdentityName|ProductName| -|publisherCertificateName|Publisher| -|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there's a XAP package associated with the app in the Store.

If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| - - -## Settings apps that rely on splash apps +You can get the publisher name and product name of apps using either `Get-AppxPackage` PowerShell cmdlet or [Windows Device Portal](/windows/uwp/debug-test-perf/device-portal-desktop). +## Settings apps that rely on splash apps These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. @@ -368,8 +2304,7 @@ The product name is first part of the PackageFullName followed by the version nu | SettingsPageAppsCorner | 5b04b775-356b-4aa0-aaf8-6491ffea580a\_1.0.0.0\_neutral\_\_4vefaa8deck74 | 5b04b775-356b-4aa0-aaf8-6491ffea580a | | SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 | - -## Inbox apps and components +## Inbox apps and components The following list shows the apps that may be included in the inbox. @@ -467,7 +2402,7 @@ The following list shows the apps that may be included in the inbox. |Xbox|b806836f-eebe-41c9-8669-19e243b81b83|Microsoft.XboxApp| |Xbox identity provider|ba88225b-059a-45a2-a8eb-d3580283e49d|Microsoft.XboxIdentityProvider| -## Allowlist examples +## Allowlist examples The following example disables the calendar application. @@ -1028,7 +2963,8 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo ``` ## Example for Windows 10 Holographic for Business -The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, and Settings. + +The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inbox-apps-and-components) to enable a working device, and Settings. ```xml @@ -1464,7 +3400,10 @@ In this example, Contoso is the node name. We recommend using a GUID for this no ``` + -## Related topics + -[Configuration service provider reference](index.yml) +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index d0e4446e1c..af3f58ccbe 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -1,673 +1,1149 @@ --- title: AppLocker DDF file -description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/23/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # AppLocker DDF file -This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). +The following XML file contains the device description framework (DDF) for the AppLocker configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + AppLocker + ./Vendor/MSFT + + + + + Root node for the AppLocker configuration service provider + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - AppLocker - ./Vendor/MSFT + ApplicationLaunchRestrictions + + + + + Defines restrictions for applications. + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + + + + + + + + + + Grouping + + + + + + + + - ApplicationLaunchRestrictions + EXE + + + + + + + + Defines restrictions for launching executable applications. + + + + + + + + + + + + + + + Policy - - - - - - - - - - - - - - - - - - + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic - - - - - - - - - - - - - - - - - - - Grouping - - - - - - EXE - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforcementMode - - - - - - - - - - - - - - - - - - text/plain - - - - - NonInteractiveProcessEnforcement - - - - - - - - - - - - - - - - - - text/plain - - - - - - MSI - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforcementMode - - - - - - - - - - - - - - - - - - text/plain - - - - - - Script - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforcementMode - - - - - - - - - - - - - - - - - - text/plain - - - - - - StoreApps - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforcementMode - - - - - - - - - - - - - - - - - - text/plain - - - - - - DLL - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforcementMode - - - - - - - - - - - - - - - - - - text/plain - - - - - NonInteractiveProcessEnforcement - - - - - - - - - - - - - - - - - - text/plain - - - - - - CodeIntegrity - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + NonInteractiveProcessEnforcement + + + + + + + + Insert Description Here + + + + + + + + + + + + + + - EnterpriseDataProtection + MSI + + + + + + + + Defines restrictions for executing Windows Installer files. + + + + + + + + + + + + + + + Policy - - - - - - - - - - - - - - - + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic - - - - - - - - - - - - - - - - - - - Grouping - - - - - - EXE - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - - StoreApps - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + Script + + + + + + + + Defines restrictions for running scripts. + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + StoreApps + + + + + + + + Defines restrictions for running apps from the Microsoft Store. + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + DLL + + + + + + + + Defines restrictions for processing DLL files. + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + NonInteractiveProcessEnforcement + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + + + CodeIntegrity + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. This will need to be Base64 encoded. + + + + + + + + + + + + + + + Automatic + + + + + + EnterpriseDataProtection + + + + + Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in ./Device/Vendor/MSFT/EnterpriseDataProtection in EnterpriseDataProtection CSP. + + + + + + + + + + + + + + + + + + + + + + + + Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + + + + + + + + + + Grouping + + + + + + + + + + + EXE + + + + + + + + Defines restrictions for launching executable applications. + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + + StoreApps + + + + + + + + Defines restrictions for running apps from the Microsoft Store. + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + + + + LaunchControl + + + + + Insert Description Here + + + + + + + + + + + + + + + + + + + + + + + + Insert Description Here + + + + + + + + + + Grouping + + + + + + + + + + + EXE + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + Policy + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + StoreApps + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + Policy + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + + + FamilySafety + + + + + Insert Description Here + + + + + + + + + + + + + + + + + + + + + + + + Insert Description Here + + + + + + + + + + Grouping + + + + + + + + + + + EXE + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + StoreApps + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + + ``` -## Related topics +## Related articles -[AppLocker configuration service provider](applocker-csp.md) \ No newline at end of file +[AppLocker configuration service provider reference](applocker-csp.md) diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md deleted file mode 100644 index 9daa087800..0000000000 --- a/windows/client-management/mdm/applocker-xsd.md +++ /dev/null @@ -1,1292 +0,0 @@ ---- -title: AppLocker XSD -description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 ---- - -# AppLocker XSD - -Here's the XSD for the AppLocker CSP. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -  - -  - - - - - -