From 99d10258df14fae82ae3199d2d5f4b7c09562b9b Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Fri, 14 Aug 2020 16:26:12 -0700 Subject: [PATCH 1/3] Add custom managed installer information Created subpage with detailed instructions on configuring managed installer --- .../TOC.md | 1 + .../configure-wdac-managed-installer.md | 160 ++++++++++++++++++ .../event-id-explanations.md | 6 +- ...lication-control-with-managed-installer.md | 136 +-------------- 4 files changed, 173 insertions(+), 130 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 1a4b279e16..fc4c0fde64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -9,6 +9,7 @@ #### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) #### [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) #### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) +##### [Configure a WDAC managed installer](configure-wdac-managed-installer.md) #### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) #### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md) #### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md new file mode 100644 index 0000000000..e82c905d31 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -0,0 +1,160 @@ +--- +title: Configure a WDAC managed installer (Windows 10) +description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. +keywords: security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 06/13/2018 +--- + +# Configuring a managed installer with AppLocker and Windows Defender Application Control + +**Applies to:** + +- Windows 10 +- Windows Server 2019 + +Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled. +There are three primary steps to keep in mind: + +- Specify managed installers by using the Managed Installer rule collection in AppLocker policy. +- Enable service enforcement in AppLocker policy. +- Enable the managed installer option in a WDAC policy. + +## Specify managed installers using the Managed Installer rule collection in AppLocker policy + +The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection. + +### Create Managed Installer rule collection + +Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. + +1. Use [New-AppLockerPolicy](https://docs.microsoft.com/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability. + + ```powershell + Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml + ``` + +2. Manually rename the rule collection to ManagedInstaller + + Change + + ```powershell + + ``` + + to + + ```powershell + + ``` + +An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below. + +```xml + + + + + + + + + + + + + + + + +``` + +### Enable service enforcement in AppLocker policy + +Since many installation processes rely on services, it is typically necessary to enable tracking of services. +Correct tracking of services requires the presence of at least one rule in the rule collection, so a simple audit only rule will suffice. This can be added to the policy created above which specifies your managed installer rule collection. + +For example: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Enable the managed installer option in WDAC policy + +In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy. +This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) with Option 13. + +Below are steps to create a WDAC policy which allows Windows to boot and enables the managed installer option. + +1. Copy the DefaultWindows_Audit policy into your working folder from C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml + +2. Reset the policy ID to ensure it is in multiple policy format and give it a different GUID from the example policies. Also give it a friendly name to help with identification. + + Ex. + + ```powershell + Set-CIPolicyIdInfo -FilePath -PolicyName "" -ResetPolicyID + ``` + +3. Set Option 13 (Enabled:Managed Installer) + + ```powershell + Set-RuleOption -FilePath -Option 13 + ``` + +## Set the AppLocker filter driver to autostart + +To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it. + +To do so, run the following command as an Administrator: + +```console +appidtel.exe start [-mionly] +``` + +Specify `-mionly` if you will not use the Intelligent Security Graph (ISG). + +## Enabling managed installer logging events + +Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 965a842f19..56b4a80d67 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -30,7 +30,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 3076 | Audit executable/dll file | | 3077 | Block executable/dll file | -| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | +| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | 3099 | Indicates that a policy has been loaded | ## Microsoft Windows Applocker MSI and Script log event IDs @@ -39,7 +39,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | | 8029 | Block script/MSI file | -| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | | +| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events @@ -73,7 +73,7 @@ In order to enable 3091 audit events and 3092 block events, you must create a Te ```powershell reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 ``` -In order to enable 3090 allow events, you must create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: +In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: ```powershell reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index f0c0979e51..d6810894b4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 06/13/2018 +ms.date: 08/14/2020 --- # Authorize apps deployed with a WDAC managed installer @@ -24,136 +24,21 @@ ms.date: 06/13/2018 - Windows 10 - Windows Server 2019 -Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC). -This is especially true for enterprises with large, ever changing software catalogs. - -Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. +Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. A managed installer helps an IT admin balance security and manageability requirements when employing application execution control policies by providing an option that does not require specifying explicit rules for software that is being managed through a software distribution solution. ## How does a managed installer work? -A managed installer uses a new rule collection in AppLocker to specify one or more executables that are trusted by the organization as an authorized source for application deployment. -Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies. +A managed installer uses a new rule collection in AppLocker to specify one or more executables that are trusted by the organization as an authorized source for application deployment. -Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. -If there are no deny rules present for the file, it will be authorized based on the managed installer origin information. +Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable's process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies. + +Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the managed installer origin information. Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer. -Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps. +An example managed installer use-case can be seen in the guidance for [creating a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md). -## Configuring a managed installer with AppLocker and Windows Defender Application Control - -Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled. -There are three primary steps to keep in mind: - -- Specify managed installers by using the Managed Installer rule collection in AppLocker policy. -- Enable service enforcement in AppLocker policy. -- Enable the managed installer option in a WDAC policy. - -### Specify managed installers using the Managed Installer rule collection in AppLocker policy - -The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection. -Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. - -An example of a valid Managed Installer rule collection is shown below. -For more information about creating an AppLocker policy that includes a managed installer and configuring client devices, see [Simplify application listing with Configuration Manager and Windows 10](https://cloudblogs.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/). -As mentioned above, the AppLocker CSP for OMA-URI policies does not currently support the Managed Installer rule collection or the Service Enforcement rule extensions mentioned below. - - -```xml - - - - - - - - - - - - - - - - -``` - -## Enable service enforcement in AppLocker policy - -Since many installation processes rely on services, it is typically necessary to enable tracking of services. -Correct tracking of services requires the presence of at least one rule in the rule collection — a simple audit only rule will suffice. -For example: - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -### Enable the managed installer option in WDAC policy - -In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy. -This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). -An example of the managed installer option being set in policy is shown below. - -```xml - - - - - - - - - - - - - - - - - -``` - -## Set the AppLocker filter driver to autostart - -To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it. -Run the following command as an Administrator: - -```console -appidtel.exe start [-mionly] -``` - -Specify `-mionly` if you will not use the Intelligent Security Graph (ISG). +Note that a WDAC policy with managed installer configured will begin to tag files which originated from that managed installer, regardless of whether the policy is in audit or enforced mode. ## Security considerations with managed installer @@ -167,15 +52,12 @@ To avoid this, ensure that the application deployment solution being used as a m ## Known limitations with managed installer -- Application execution control based on managed installer does not support applications that self-update. +- Application execution control based on managed installer does not support applications that self-update/auto-update. If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. Enterprises should deploy and install all application updates using the managed installer. In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method. -- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. -Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. - - Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. - Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. From 8b563d30d91283e4f5271c9d5dc920ff236c63de Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Tue, 25 Aug 2020 14:56:06 -0700 Subject: [PATCH 2/3] Correct indented code block suggestion --- .../event-id-explanations.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 56b4a80d67..6601f20830 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -70,11 +70,12 @@ Below are the fields which help to diagnose what a 3090, 3091, or 3092 event ind In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command: - ```powershell - reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 - ``` +```powershell +reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 +``` + In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: - ```powershell - reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 - ``` +```powershell +reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 +``` From 87688120f7e76aab8adc9f07f78a788d3cf4a757 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Tue, 25 Aug 2020 15:27:27 -0700 Subject: [PATCH 3/3] Update MEMCM MI example --- .../configure-wdac-managed-installer.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index e82c905d31..b7f98f9949 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -1,6 +1,6 @@ --- title: Configure a WDAC managed installer (Windows 10) -description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. +description: Explains how to configure a custom Manged Installer. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 06/13/2018 +ms.date: 08/14/2020 --- # Configuring a managed installer with AppLocker and Windows Defender Application Control @@ -63,16 +63,16 @@ An example of a valid Managed Installer rule collection using Microsoft Endpoint ```xml - + - + - + - +