deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

edits from Sakib

Browse Source
This commit is contained in:
Justin Hall
2019-05-17 10:07:04 -07:00
parent 80dd19ba72
commit 4739a22778
4 changed files with 60 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
View File

@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: jsuther1974
ms.date: 05/16/2019
author: mdsakibMSFT
ms.date: 05/17/2019
---
# Allow COM object registration in a Windows Defender Application Control policy
@ -32,7 +32,7 @@ Get GUID of application to allow in one of the following ways:
- Finding block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) and extracting GUID
- Creating audit policy (using New-CIPolicy Audit), potentially with specific provider, and use info from block events to get GUID
### Author setting
### Author policy setting to allow or deny COM object GUID
Three elements:
- Provider: platform on which code is running (values are Powershell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”)
@ -46,17 +46,28 @@ One attribute:
### Examples
Example 1: Allows registration of all COM object GUIDs in any provider
```xml
<Setting Provider="AllHostIds" Key="AllKeys" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
```
Example 2: Blocks a specific COM object from being registered via Internet Explorer (IE)
```xml
<Setting Provider="IE" Key="{00000000-4444-4444-1616-161616161616}" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>false</Boolean>
</Value>
</Setting>
Example 3: Allows a specific COM object to register in PowerShell
```xml
<Setting Provider="PowerShell" Key="{33333333-4444-4444-1616-161616161616}" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>true</Boolean>

4
windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md
View File

@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: jsuther1974
ms.date: 05/14/2019
author: mdsakibMSFT
ms.date: 05/17/2019
---
# Create Windows Defender Application Control path-based rules

7
windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
View File

@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: jsuther1974
ms.date: 05/10/2019
author: mdsakibMSFT
ms.date: 05/17/2019
---
# Deploy multiple Windows Defender Application Control Policies
@ -44,16 +44,19 @@ Note that multiple policies will not work on pre-1903 systems.
### Allow Multiple Policies
In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in New-CIPolicy results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base.
```powershell
New-CIPolicy -MultiplePolicyFormat -foo bar
```
Optionally, you can choose to make the new base policy supplementable (allow supplemental policies).
```powershell
Set-RuleOption -FilePath <string> Enabled:Allow Supplemental Policies
```
For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers.
```powershell
Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [<CommonParameters>]
```

25
windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md
View File

@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: jsuther1974
ms.date: 05/06/2018
author: mdsakibMSFT
ms.date: 05/17/2018
---
# Sideloading Win32 apps on Windows 10 S mode devices
@ -51,24 +51,37 @@ To allow Win32 apps to run on a Windows 10 device in S mode, admins must unlo
## Creating and Signing a Supplemental Policy
1. Create new base policy using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps)
```powershell
New-CIPolicy -Level PcaCertificate -UserPEs -ScanPath <path> -MultiplePolicyFormat 3> <path\CIPolicyLog.txt> -FilePath <path\SupplementalPolicy.xml>
```
2. Change it to a supplemental policy using [Set-CIPolicyIdInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo?view=win10-ps)
```powershell
Set-CIPolicyIdInfo -BasePolicyToSupplementPath <path\SupplementalPolicy.xml> -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath <path\SupplementalPolicy.xml>
```
Note: 5951A96A-E0B5-4D3D-8FB8-3E5B61030784' is the S-mode Base Policy ID.
>[!NOTE]
>5951A96A-E0B5-4D3D-8FB8-3E5B61030784' is the S-mode Base Policy ID.
3. Put policy in enforce mode using [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps)
```powershell
Set-RuleOption -FilePath <path\SupplementalPolicy.xml> -Option 3 Delete
```
This deletes the audit mode qualifier.
4. Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
```powershell
ConvertFrom-CIPolicy -XmlFilePath <path\SupplementalPolicy.xml> -BinaryFilePath <path\PolicyID>
```
Note: PolicyID can be found by inspecting the Supplemental Policy XML. Convert to .bin to sign with DGSS (recommended) or .cip to sign locally.
>[!NOTE]
>PolicyID can be found by inspecting the Supplemental Policy XML. Convert to .bin to sign with DGSS (recommended) or .cip to sign locally.
5. To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**.
To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md).
@ -76,14 +89,18 @@ To allow Win32 apps to run on a Windows 10 device in S mode, admins must unlo
An admin must generate an app catalog for every deployed app:
1. Use Package Inspector to [create a catalog](https://docs.microsoft.com/microsoft-store/add-unsigned-app-to-code-integrity-policy#a-href-idcreate-catalog-filesacreate-catalog-files-for-your-unsigned-app)
- Start Package Inspector to scan the installer:
```console
PackageInspector.exe start C: -path <path to installer>
```
- Open the app installer.
- Stop Package Inspector:
```console
PackageInspector.exe stop C: -Name <path\app.cat> -cdfpath <path\app.cdf>
```
2. To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**.
To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md).