deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

edits from Sakib

Browse Source
This commit is contained in:
Justin Hall
2019-05-17 10:07:04 -07:00
parent 80dd19ba72
commit 4739a22778
4 changed files with 60 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
View File

@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: jsuther1974 author: mdsakibMSFT
ms.date: 05/16/2019 ms.date: 05/17/2019
--- ---
# Allow COM object registration in a Windows Defender Application Control policy # Allow COM object registration in a Windows Defender Application Control policy
@ -32,7 +32,7 @@ Get GUID of application to allow in one of the following ways:
- Finding block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) and extracting GUID - Finding block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) and extracting GUID
- Creating audit policy (using New-CIPolicy Audit), potentially with specific provider, and use info from block events to get GUID - Creating audit policy (using New-CIPolicy Audit), potentially with specific provider, and use info from block events to get GUID
### Author setting ### Author policy setting to allow or deny COM object GUID
Three elements: Three elements:
- Provider: platform on which code is running (values are Powershell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”) - Provider: platform on which code is running (values are Powershell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”)
@ -46,21 +46,32 @@ One attribute:
### Examples ### Examples
Example 1: Allows registration of all COM object GUIDs in any provider
```xml ```xml
<Setting Provider="AllHostIds" Key="AllKeys" ValueName="EnterpriseDefinedClsId"> <Setting Provider="AllHostIds" Key="AllKeys" ValueName="EnterpriseDefinedClsId">
<Value> <Value>
<Boolean>true</Boolean> <Boolean>true</Boolean>
</Value> </Value>
</Setting> </Setting>
<Setting Provider="IE" Key="{00000000-4444-4444-1616-161616161616}" ValueName="EnterpriseDefinedClsId"> ```
Example 2: Blocks a specific COM object from being registered via Internet Explorer (IE)
```xml
<Setting Provider="IE" Key="{00000000-4444-4444-1616-161616161616}" ValueName="EnterpriseDefinedClsId">
<Value> <Value>
<Boolean>false</Boolean> <Boolean>false</Boolean>
</Value> </Value>
</Setting> </Setting>
<Setting Provider="PowerShell" Key="{33333333-4444-4444-1616-161616161616}" ValueName="EnterpriseDefinedClsId">
Example 3: Allows a specific COM object to register in PowerShell
```xml
<Setting Provider="PowerShell" Key="{33333333-4444-4444-1616-161616161616}" ValueName="EnterpriseDefinedClsId">
<Value> <Value>
<Boolean>true</Boolean> <Boolean>true</Boolean>
</Value> </Value>
</Setting> </Setting>
``` ```

4
windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md
View File

@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: jsuther1974 author: mdsakibMSFT
ms.date: 05/14/2019 ms.date: 05/17/2019
--- ---
# Create Windows Defender Application Control path-based rules # Create Windows Defender Application Control path-based rules

13
windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
View File

@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: jsuther1974 author: mdsakibMSFT
ms.date: 05/10/2019 ms.date: 05/17/2019
--- ---
# Deploy multiple Windows Defender Application Control Policies # Deploy multiple Windows Defender Application Control Policies
@ -44,19 +44,22 @@ Note that multiple policies will not work on pre-1903 systems.
### Allow Multiple Policies ### Allow Multiple Policies
In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in New-CIPolicy results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in New-CIPolicy results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base.
```powershell ```powershell
New-CIPolicy -MultiplePolicyFormat -foo bar New-CIPolicy -MultiplePolicyFormat -foo bar
``` ```
Optionally, you can choose to make the new base policy supplementable (allow supplemental policies). Optionally, you can choose to make the new base policy supplementable (allow supplemental policies).
```powershell ```powershell
Set-RuleOption -FilePath <string> Enabled:Allow Supplemental Policies Set-RuleOption -FilePath <string> Enabled:Allow Supplemental Policies
``` ```
For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers. For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers.
```powershell
Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [<CommonParameters>] ```powershell
``` Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [<CommonParameters>]
```
### Supplemental Policy Creation ### Supplemental Policy Creation

25
windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md
View File

@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: jsuther1974 author: mdsakibMSFT
ms.date: 05/06/2018 ms.date: 05/17/2018
--- ---
# Sideloading Win32 apps on Windows 10 S mode devices # Sideloading Win32 apps on Windows 10 S mode devices
@ -51,24 +51,37 @@ To allow Win32 apps to run on a Windows 10 device in S mode, admins must unlo
## Creating and Signing a Supplemental Policy ## Creating and Signing a Supplemental Policy
1. Create new base policy using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) 1. Create new base policy using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps)
```powershell ```powershell
New-CIPolicy -Level PcaCertificate -UserPEs -ScanPath <path> -MultiplePolicyFormat 3> <path\CIPolicyLog.txt> -FilePath <path\SupplementalPolicy.xml> New-CIPolicy -Level PcaCertificate -UserPEs -ScanPath <path> -MultiplePolicyFormat 3> <path\CIPolicyLog.txt> -FilePath <path\SupplementalPolicy.xml>
``` ```
2. Change it to a supplemental policy using [Set-CIPolicyIdInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo?view=win10-ps) 2. Change it to a supplemental policy using [Set-CIPolicyIdInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo?view=win10-ps)
```powershell ```powershell
Set-CIPolicyIdInfo -BasePolicyToSupplementPath <path\SupplementalPolicy.xml> -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath <path\SupplementalPolicy.xml> Set-CIPolicyIdInfo -BasePolicyToSupplementPath <path\SupplementalPolicy.xml> -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath <path\SupplementalPolicy.xml>
``` ```
Note: 5951A96A-E0B5-4D3D-8FB8-3E5B61030784' is the S-mode Base Policy ID.
>[!NOTE]
>5951A96A-E0B5-4D3D-8FB8-3E5B61030784' is the S-mode Base Policy ID.
3. Put policy in enforce mode using [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) 3. Put policy in enforce mode using [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps)
```powershell ```powershell
Set-RuleOption -FilePath <path\SupplementalPolicy.xml> -Option 3 Delete Set-RuleOption -FilePath <path\SupplementalPolicy.xml> -Option 3 Delete
``` ```
This deletes the audit mode qualifier. This deletes the audit mode qualifier.
4. Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) 4. Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
```powershell ```powershell
ConvertFrom-CIPolicy -XmlFilePath <path\SupplementalPolicy.xml> -BinaryFilePath <path\PolicyID> ConvertFrom-CIPolicy -XmlFilePath <path\SupplementalPolicy.xml> -BinaryFilePath <path\PolicyID>
``` ```
Note: PolicyID can be found by inspecting the Supplemental Policy XML. Convert to .bin to sign with DGSS (recommended) or .cip to sign locally.
>[!NOTE]
>PolicyID can be found by inspecting the Supplemental Policy XML. Convert to .bin to sign with DGSS (recommended) or .cip to sign locally.
5. To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**. 5. To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**.
To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md). To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md).
@ -76,14 +89,18 @@ To allow Win32 apps to run on a Windows 10 device in S mode, admins must unlo
An admin must generate an app catalog for every deployed app: An admin must generate an app catalog for every deployed app:
1. Use Package Inspector to [create a catalog](https://docs.microsoft.com/microsoft-store/add-unsigned-app-to-code-integrity-policy#a-href-idcreate-catalog-filesacreate-catalog-files-for-your-unsigned-app) 1. Use Package Inspector to [create a catalog](https://docs.microsoft.com/microsoft-store/add-unsigned-app-to-code-integrity-policy#a-href-idcreate-catalog-filesacreate-catalog-files-for-your-unsigned-app)
- Start Package Inspector to scan the installer: - Start Package Inspector to scan the installer:
```console ```console
PackageInspector.exe start C: -path <path to installer> PackageInspector.exe start C: -path <path to installer>
``` ```
- Open the app installer. - Open the app installer.
- Stop Package Inspector: - Stop Package Inspector:
```console ```console
PackageInspector.exe stop C: -Name <path\app.cat> -cdfpath <path\app.cdf> PackageInspector.exe stop C: -Name <path\app.cat> -cdfpath <path\app.cdf>
``` ```
2. To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**. 2. To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**.
To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md). To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md).