From 9615c49dde309ebe2dea46cc256217869d86ab80 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 6 Nov 2021 10:20:31 +0500 Subject: [PATCH 1/2] Update deploy-wdac-policies-with-script.md --- .../deploy-wdac-policies-with-script.md | 44 +++++++++++-------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 36243edbf3..817a23cb09 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -10,7 +10,7 @@ ms.reviewer: jogeurte ms.author: jogeurte ms.manager: jsuther manager: dansimp -ms.date: 04/14/2021 +ms.date: 11/06/2021 ms.technology: windows-sec ms.topic: article ms.localizationpriority: medium @@ -32,7 +32,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p > [!NOTE] > To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool. -## Script-based deployment process for Windows 10 version 1903 and above +## Deploying policies for Windows 10 version 1903 and above 1. Initialize the variables to be used by the script. @@ -56,23 +56,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p & $RefreshPolicyTool ``` -### Deploying signed policies - -In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. - -1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: - - ```powershell - mountvol J: /S - J: - mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active - ``` - -2. Copy the signed policy binary as `{PolicyGUID}.cip` to `J:\EFI\Microsoft\Boot\CiPolicies\Active`. - -3. Reboot the system. - -## Script-based deployment process for Windows 10 versions earlier than 1903 +## Deploying policies for Windows 10 versions earlier than 1903 1. Initialize the variables to be used by the script. @@ -93,3 +77,25 @@ In addition to the steps outlined above, the binary policy file must also be cop ```powershell Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary} ``` + +## Deploying signed policies + +In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. + +1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: + + ```powershell + $MountPoint = 'C:\EFI' + $EFIDestinationFolder = "$MountPoint\Microsoft\Boot\CiPolicies\Active" + $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] + mkdir $EFIDestinationFolder + mountvol $MountPoint $EFIPartition + ``` + +2. Copy the signed policy to the created folder: + + ```powershell + Copy-Item -Path $PolicyBinary -Destination $EFIDestinationFolder -Force + ``` + +3. Reboot the system. From 4b6794ec3e4f7008e876076e9313dee94b747d70 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 10 Nov 2021 10:32:51 +0500 Subject: [PATCH 2/2] Update windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deployment/deploy-wdac-policies-with-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 817a23cb09..4368a1ce60 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -98,4 +98,4 @@ In addition to the steps outlined above, the binary policy file must also be cop Copy-Item -Path $PolicyBinary -Destination $EFIDestinationFolder -Force ``` -3. Reboot the system. +3. Restart the system.