deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

removed sideloading apps topic

Browse Source
This commit is contained in:
Justin Hall
2019-05-17 10:22:37 -07:00
parent 4739a22778
commit 2717120544
2 changed files with 0 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -34,7 +34,6 @@
### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md) ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md)
#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md) #### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md)
### [Sideload Win32 apps on S mode](sideloading-win32-apps-on-windows-10-s-mode-devices.md)
### [Disable WDAC policies](disable-windows-defender-application-control-policies.md) ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md)
### [Device Guard and AppLocker](windows-defender-device-guard-and-applocker.md) ### [Device Guard and AppLocker](windows-defender-device-guard-and-applocker.md)

109
windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md
View File

@ -1,109 +0,0 @@
---
title: Sideloading Win32 apps on Windows 10 S mode devices (Windows 10)
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: mdsakibMSFT
ms.date: 05/17/2018
---
# Sideloading Win32 apps on Windows 10 S mode devices
**Applies to:**
- Windows 10
- Windows Server 2016
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Windows 10 S mode is a locked-down system that only runs Store apps.
Although it provides tight security and thereby promises reduced management, its application control restrictions make it difficult for some to adopt it widely.
Sideloading makes S mode a more viable proposition for enterprise and education workloads by allowing critical Desktop apps in addition to Store apps.
## Process Overview
To allow Win32 apps to run on a Windows 10 device in S mode, admins must unlock the device so exceptions can be made to S mode policy, and then upload a corresponding signed catalog for each app to Intune. Here are the steps:
1. Unlock S mode devices through Intune
- Admin uses the Device Guard Signing Service (DGSS) in the Microsoft Store for Business to generate a root certificate for the organization and upload it to Intune
- Intune will ensure this certificate is included in a devices unlock token from OCDUS, and any app catalogs which are signed with it will be able to run on the unlocked device
2. Create a supplemental policy to allow Win32 apps
- Admin uses Windows Defender Application Control tools to create a supplemental policy
- Admin uses DGSS to sign their supplemental policy
- Admin uploads signed supplemental policy to Intune
3. Allow Win32 app catalogs through Intune
- Admin creates catalog files (1 for every app) and signs them using DGSS or other certificate infrastructure
- Admin submits the signed catalog to Intune
- Intune applies the signed catalog to unlocked S mode device using Sidecar
## Setting up Business Store to use DGSS
1. In the Azure portal, create a new resource of type Azure Active Directory, then create an associated global admin user.
2. Log in to the Microsoft Store for Business as the global admin then go to **Organization** > **Private Store** and accept.
This will automatically generate a root certificate for the organization.
3. To download a root cert or upload policies/catalogs to sign, navigate to **Manage** > **Settings** > **Devices**.
Note: you can only upload .bin and .cat files.
## Creating and Signing a Supplemental Policy
1. Create new base policy using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps)
```powershell
New-CIPolicy -Level PcaCertificate -UserPEs -ScanPath <path> -MultiplePolicyFormat 3> <path\CIPolicyLog.txt> -FilePath <path\SupplementalPolicy.xml>
```
2. Change it to a supplemental policy using [Set-CIPolicyIdInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo?view=win10-ps)
```powershell
Set-CIPolicyIdInfo -BasePolicyToSupplementPath <path\SupplementalPolicy.xml> -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath <path\SupplementalPolicy.xml>
```
>[!NOTE]
>5951A96A-E0B5-4D3D-8FB8-3E5B61030784' is the S-mode Base Policy ID.
3. Put policy in enforce mode using [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps)
```powershell
Set-RuleOption -FilePath <path\SupplementalPolicy.xml> -Option 3 Delete
```
This deletes the audit mode qualifier.
4. Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
```powershell
ConvertFrom-CIPolicy -XmlFilePath <path\SupplementalPolicy.xml> -BinaryFilePath <path\PolicyID>
```
>[!NOTE]
>PolicyID can be found by inspecting the Supplemental Policy XML. Convert to .bin to sign with DGSS (recommended) or .cip to sign locally.
5. To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**.
To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md).
## Creating and Signing an App Catalog
An admin must generate an app catalog for every deployed app:
1. Use Package Inspector to [create a catalog](https://docs.microsoft.com/microsoft-store/add-unsigned-app-to-code-integrity-policy#a-href-idcreate-catalog-filesacreate-catalog-files-for-your-unsigned-app)
- Start Package Inspector to scan the installer:
```console
PackageInspector.exe start C: -path <path to installer>
```
- Open the app installer.
- Stop Package Inspector:
```console
PackageInspector.exe stop C: -Name <path\app.cat> -cdfpath <path\app.cdf>
```
2. To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**.
To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md).
## User experience
Users will either have apps pushed directly to their devices by their admins, or they can download apps that their admins have made available through the Company Portal.