From 29efe5f7958b6f634b7432f2fcc4553dd7a01b08 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 25 Mar 2022 09:44:13 +0530 Subject: [PATCH] Acrolinx fixes --- .../mdm/applicationcontrol-csp.md | 26 +++++++------- .../client-management/mdm/applocker-csp.md | 34 +++++++++---------- .../mdm/certificatestore-csp.md | 8 ++--- 3 files changed, 34 insertions(+), 34 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index daf90cbbe7..69126b6352 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -23,7 +23,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot. Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. @@ -92,14 +92,14 @@ Scope is dynamic. Supported operation is Get. Value type is char. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective** -This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system. +This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system. -- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default. +- True—Indicates that the policy is loaded by the enforcement engine and is in effect on a system. +- False—Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This is the default. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** This node specifies whether a policy is deployed on the system and is present on the physical machine. @@ -108,18 +108,18 @@ Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is deployed on the system and is present on the physical machine. -- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default. +- True—Indicates that the policy is deployed on the system and is present on the physical machine. +- False—Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This is the default. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** -This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system. +This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system. -- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. +- True—Indicates that the policy is authorized to be loaded by the enforcement engine on the system. +- False—Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes: @@ -156,7 +156,7 @@ For customers using Intune standalone or hybrid management with Microsoft Endpoi ## Generic MDM Server Usage Guidance -In order to leverage the ApplicationControl CSP without using Intune, you must: +In order to use the ApplicationControl CSP without using Intune, you must: 1. Know a generated policy's GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. 2. Convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -183,7 +183,7 @@ To deploy base policy and supplemental policies: 1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. 2. Repeat for each base or supplemental policy (with its own GUID and data). -The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy supplements and does'nt need to be reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy supplements and doesn't need to be reflected in the ADD). #### Example 1: Add first base policy @@ -301,7 +301,7 @@ The following is an example of Delete command: ## PowerShell and WMI Bridge Usage Guidance -The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). +The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). ### Setup for using the WMI Bridge @@ -317,7 +317,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi ### Deploying a policy via WMI Bridge -Run the following command. PolicyID is a GUID which can be found in the policy xml, and should be used here without braces. +Run the following command. PolicyID is a GUID, which can be found in the policy xml, and should be used here without braces. ```powershell New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{ParentID="./Vendor/MSFT/ApplicationControl/Policies";InstanceID="";Policy=$policyBase64} diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 62a83e99c6..a368b2d0ec 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -24,7 +24,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked. +The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked. The following shows the AppLocker configuration service provider in tree format. @@ -108,7 +108,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -132,7 +132,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -151,7 +151,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -170,7 +170,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -189,7 +189,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -216,9 +216,9 @@ Supported operations are Get, Add, Delete, and Replace. > To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP. **AppLocker/EnterpriseDataProtection** -Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). +Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). -In Windows 10, version 1607, the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. +In Windows 10, version 1607, the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: @@ -237,7 +237,7 @@ Exempt examples: Additional information: -- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. +- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator doesn't accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. **AppLocker/EnterpriseDataProtection/_Grouping_** Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job is to determine what their purpose is, and to not conflict with other identifiers that they define. @@ -271,7 +271,7 @@ Supported operations are Get, Add, Delete, and Replace. **To find Publisher and PackageFullName of apps:** -1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). +1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive). 2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. The **Device Portal** page opens on your browser. @@ -279,11 +279,11 @@ Supported operations are Get, Add, Delete, and Replace. ![device portal screenshot.](images/applocker-screenshot1.png) 3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. -4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. +4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps. ![device portal app manager.](images/applocker-screenshot3.png) -5. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. +5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. ![app manager.](images/applocker-screenshot2.png) @@ -295,7 +295,7 @@ The following table shows the mapping of information to the AppLocker publisher |Publisher|Publisher| |Version|Version: This can be used either in the HighSection or LowSection of the BinaryVersionRange.

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| -Here is an example AppLocker publisher rule: +Here's an example AppLocker publisher rule: ```xml @@ -319,7 +319,7 @@ Request URI: https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata ``` -Here is the example for Microsoft OneNote: +Here's the example for Microsoft OneNote: Request @@ -342,11 +342,11 @@ Result |--- |--- | |packageIdentityName|ProductName| |publisherCertificateName|Publisher| -|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there is a XAP package associated with the app in the Store.

If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| +|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there's a XAP package associated with the app in the Store.

If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| ## Settings apps that rely on splash apps -These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. +These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. The product name is first part of the PackageFullName followed by the version number. @@ -1285,7 +1285,7 @@ The following example for Windows 10 Holographic for Business denies all apps an ## Recommended deny list for Windows Information Protection -The following example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. +The following example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator doesn't accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. In this example, Contoso is the node name. We recommend using a GUID for this node. diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index ba6c37f41f..4870706fd5 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -30,7 +30,7 @@ The CertificateStore configuration service provider is used to add secure socket > The CertificateStore configuration service provider does not support installing client certificates. > The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive. -For the CertificateStore CSP, you cannot use the Replace command, unless the node already exists. +For the CertificateStore CSP, you can't use the Replace command, unless the node already exists. The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. @@ -131,7 +131,7 @@ Supported operation is Get. > CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates. **My/User** -Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. +Defines the certificate store that contains public keys for client certificates. It is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. Supported operation is Get. @@ -139,7 +139,7 @@ Supported operation is Get. > My/User is case sensitive. **My/System** -Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. +Defines the certificate store that contains public key for client certificate. It is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. Supported operation is Get. @@ -371,7 +371,7 @@ Optional. Specifies the URL of certificate renewal server. If this node doesn't Supported operations are Add, Get, Delete, and Replace. **My/WSTEP/Renew/RenewalPeriod** -Optional. specifies the time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. +Optional. specifies the time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. The default value is 42 and the valid values are 1 – 1000. Value type is an integer.