deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

ApplicationControl CSP

Browse Source
This commit is contained in:
Vinay Pamnani 2023-02-16 15:59:04 -05:00
parent 4fb7e86aee
commit 4fad35f9d1
2 changed files with 1163 additions and 324 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

616
windows/client-management/mdm/applicationcontrol-csp-ddf.md
View File

@ -1,55 +1,135 @@
--- ---
title: ApplicationControl CSP DDF title: ApplicationControl DDF file
description: View the OMA DM device description framework (DDF) for the ApplicationControl configuration service provider. DDF files are used only with OMA DM provisioning XML. description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 02/16/2023
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.date: 07/10/2019
--- ---
# ApplicationControl CSP DDF <!-- Auto-Generated CSP Document -->
This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML. # ApplicationControl DDF file
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). The following XML file contains the device description framework (DDF) for the ApplicationControl configuration service provider.
```xml ```xml
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM"> <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD> <VerDTD>1.2</VerDTD>
<MSFT:Diagnostics>
</MSFT:Diagnostics>
<Node>
<NodeName>ApplicationControl</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root Node of the ApplicationControl CSP</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>Policies</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Beginning of a Subtree that contains all policies.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Policies</DFTitle>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node> <Node>
<NodeName>ApplicationControl</NodeName> <NodeName>
<Path>./Vendor/MSFT</Path> </NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get /> <Get />
</AccessType> </AccessType>
<Description>Root Node of the ApplicationControl CSP.</Description> <Description>The GUID of the Policy</Description>
<DFFormat> <DFFormat>
<node /> <node />
</DFFormat> </DFFormat>
<Occurrence> <Occurrence>
<One /> <ZeroOrMore />
</Occurrence> </Occurrence>
<Scope> <Scope>
<Permanent /> <Dynamic />
</Scope> </Scope>
<DFTitle>Policy GUID</DFTitle>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
<MSFT:DynamicNodeNaming>
<MSFT:UniqueName>The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob.</MSFT:UniqueName>
</MSFT:DynamicNodeNaming>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName>Policies</NodeName> <NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The policy binary encoded as base64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Policy</DFTitle>
<DFType>
<DDFName />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PolicyInfo</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get /> <Get />
</AccessType> </AccessType>
<Description>Beginning of a Subtree that contains all policies.</Description> <Description>Information Describing the Policy indicated by the GUID</Description>
<DFFormat> <DFFormat>
<node /> <node />
</DFFormat> </DFFormat>
@ -57,219 +137,337 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<One /> <One />
</Occurrence> </Occurrence>
<Scope> <Scope>
<Permanent /> <Dynamic />
</Scope> </Scope>
<DFTitle>Policies</DFTitle> <DFTitle>PolicyInfo</DFTitle>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName></NodeName> <NodeName>Version</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get /> <Get />
</AccessType> </AccessType>
<Description>The GUID of the Policy.</Description> <Description>Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type</Description>
<DFFormat> <DFFormat>
<node /> <chr />
</DFFormat> </DFFormat>
<Occurrence> <Occurrence>
<ZeroOrMore /> <One />
</Occurrence> </Occurrence>
<Scope> <Scope>
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFTitle>Policy GUID</DFTitle> <DFTitle>Version</DFTitle>
<DFType> <DFType>
<DDFName></DDFName> <MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsBasePolicy</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>TRUE/FALSE if the Policy is a Base Policy versus a Supplemental Policy</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>IsBasePolicy</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsSystemPolicy</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>TRUE/FALSE if the Policy is a System Policy, that is a policy managed by Microsoft as part of the OS</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>IsSystemPolicy</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsEffective</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>IsEffective</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsDeployed</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>IsDeployed</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsAuthorized</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system </Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>IsAuthorized</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The Current Status of the Policy Indicated by the Policy GUID</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Status</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FriendlyName</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The FriendlyName of the Policy Indicated by the Policy GUID</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>FriendlyName</DFTitle>
<DFType>
<MIME />
</DFType> </DFType>
</DFProperties> </DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>The policy binary encoded as base64.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Policy</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PolicyInfo</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Information Describing the Policy indicated by the GUID.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PolicyInfo</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Version</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Version of the Policy indicated by the GUID, as a string. When parsing, use a uint64 as the containing data type.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Version</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsEffective</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is effective on the system (loaded by the enforcement engine and in effect).</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>IsEffective</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsDeployed</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine).</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>IsDeployed</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsAuthorized</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system. </Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>IsAuthorized</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The Current Status of the Policy Indicated by the Policy GUID.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Status</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FriendlyName</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The FriendlyName of the Policy Indicated by the Policy GUID.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>FriendlyName</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node> </Node>
</Node> </Node>
</Node> </Node>
</Node>
<Node>
<NodeName>Tokens</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Beginning of a Subtree that contains all tokens.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Tokens</DFTitle>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>
</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Arbitrary ID used to differentiate tokens</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ID</DFTitle>
<DFType>
<DDFName />
</DFType>
<MSFT:DynamicNodeNaming>
<MSFT:UniqueName>The ApplicationControl CSP enforces that the "ID" segment of a given token URI is unique.</MSFT:UniqueName>
</MSFT:DynamicNodeNaming>
</DFProperties>
<Node>
<NodeName>Token</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The token binary encoded as base64. Supported value is a binary file, obtained from the OneCoreDeviceUnlockService.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Token</DFTitle>
<DFType>
<DDFName />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>TokenInfo</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Information Describing the Token indicated by the corresponding ID.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>TokenInfo</DFTitle>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The Current Status of the Token Indicated by the Token ID</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Status</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Type</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The Type of Token Indicated by the Token ID</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Type</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree> </MgmtTree>
``` ```
## Related topics ## Related articles
[ApplicationControl configuration service provider](applicationcontrol-csp.md) [ApplicationControl configuration service provider reference](applicationcontrol-csp.md)

871
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,155 +1,793 @@
--- ---
title: ApplicationControl CSP title: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server. description: Learn more about the ApplicationControl CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 02/16/2023
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.reviewer: jsuther1974
ms.date: 09/10/2020
--- ---
<!-- Auto-Generated CSP Document -->
<!-- ApplicationControl-Begin -->
# ApplicationControl CSP # ApplicationControl CSP
The table below shows the applicability of Windows: <!-- ApplicationControl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
|Edition|Windows 10|Windows 11| Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
<!-- ApplicationControl-Editable-End -->
The following example shows the ApplicationControl CSP in tree format. <!-- ApplicationControl-Tree-Begin -->
The following example shows the ApplicationControl configuration service provider in tree format.
```console ```text
./Vendor/MSFT ./Vendor/MSFT/ApplicationControl
ApplicationControl --- Policies
----Policies ------ {Policy GUID}
--------Policy GUID --------- Policy
------------Policy --------- PolicyInfo
------------PolicyInfo ------------ FriendlyName
----------------Version ------------ IsAuthorized
----------------IsEffective ------------ IsBasePolicy
----------------IsDeployed ------------ IsDeployed
----------------IsAuthorized ------------ IsEffective
----------------Status ------------ IsSystemPolicy
----------------FriendlyName ------------ Status
------------Token ------------ Version
----------------TokenID --- Tokens
----Tokens ------ {ID}
--------ID --------- Token
------------Token --------- TokenInfo
------------TokenInfo ------------ Status
----------------Status ------------ Type
------------PolicyIDs
----------------Policy GUID
----TenantID
----DeviceID
``` ```
<!-- ApplicationControl-Tree-End -->
<a href="" id="vendor-msft-applicationcontrol"></a>**./Vendor/MSFT/ApplicationControl** <!-- Device-Policies-Begin -->
Defines the root node for the ApplicationControl CSP. ## Policies
Scope is permanent. Supported operation is Get. <!-- Device-Policies-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-Applicability-End -->
<a href="" id="applicationcontrol-policies"></a>**ApplicationControl/Policies** <!-- Device-Policies-OmaUri-Begin -->
An interior node that contains all the policies, each identified by their globally unique identifier (GUID). ```Device
./Vendor/MSFT/ApplicationControl/Policies
```
<!-- Device-Policies-OmaUri-End -->
Scope is permanent. Supported operation is Get. <!-- Device-Policies-Description-Begin -->
<!-- Description-Source-DDF -->
Beginning of a Subtree that contains all policies.
<!-- Device-Policies-Description-End -->
<a href="" id="applicationcontrol-policies-policyguid"></a>**ApplicationControl/Policies/_Policy GUID_** <!-- Device-Policies-Editable-Begin -->
The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node. <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Each policy is identified by their globally unique identifier (GUID).
<!-- Device-Policies-Editable-End -->
Scope is dynamic. Supported operation is Get. <!-- Device-Policies-DFProperties-Begin -->
**Description framework properties**:
<a href="" id="applicationcontrol-policies-policyguid-policy"></a>**ApplicationControl/Policies/_Policy GUID_/Policy** | Property name | Property value |
This node is the policy binary itself, which is encoded as base64. |:--|:--|
| Format | node |
| Access Type | Get |
<!-- Device-Policies-DFProperties-End -->
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. <!-- Device-Policies-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-Examples-End -->
Value type is b64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet. <!-- Device-Policies-End -->
<!-- Device-Policies-{Policy GUID}-Begin -->
### Policies/{Policy GUID}
<!-- Device-Policies-{Policy GUID}-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}
```
<!-- Device-Policies-{Policy GUID}-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-Description-Begin -->
<!-- Description-Source-DDF -->
The GUID of the Policy.
<!-- Device-Policies-{Policy GUID}-Description-End -->
<!-- Device-Policies-{Policy GUID}-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Each Policy GUID node contains a Policy node and a corresponding PolicyInfo node.
<!-- Device-Policies-{Policy GUID}-Editable-End -->
<!-- Device-Policies-{Policy GUID}-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
| Dynamic Node Naming | UniqueName: The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob. |
<!-- Device-Policies-{Policy GUID}-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-Examples-End -->
<!-- Device-Policies-{Policy GUID}-End -->
<!-- Device-Policies-{Policy GUID}-Policy-Begin -->
#### Policies/{Policy GUID}/Policy
<!-- Device-Policies-{Policy GUID}-Policy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-Policy-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-Policy-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/Policy
```
<!-- Device-Policies-{Policy GUID}-Policy-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-Policy-Description-Begin -->
<!-- Description-Source-DDF -->
The policy binary encoded as base64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet.
<!-- Device-Policies-{Policy GUID}-Policy-Description-End -->
<!-- Device-Policies-{Policy GUID}-Policy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Default value is empty. Default value is empty.
<!-- Device-Policies-{Policy GUID}-Policy-Editable-End -->
<a href="" id="applicationcontrol-policies-policyguid-policyinfo"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo** <!-- Device-Policies-{Policy GUID}-Policy-DFProperties-Begin -->
An interior node that contains the nodes that describe the policy indicated by the GUID. **Description framework properties**:
Scope is dynamic. Supported operation is Get. | Property name | Property value |
|:--|:--|
| Format | b64 |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Policies-{Policy GUID}-Policy-DFProperties-End -->
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-version"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version** <!-- Device-Policies-{Policy GUID}-Policy-Examples-Begin -->
This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing uses a uint64 as the containing data type. <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-Policy-Examples-End -->
Scope is dynamic. Supported operation is Get. <!-- Device-Policies-{Policy GUID}-Policy-End -->
Value type is char. <!-- Device-Policies-{Policy GUID}-PolicyInfo-Begin -->
#### Policies/{Policy GUID}/PolicyInfo
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-iseffective"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective** <!-- Device-Policies-{Policy GUID}-PolicyInfo-Applicability-Begin -->
This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system. | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Applicability-End -->
Scope is dynamic. Supported operation is Get. <!-- Device-Policies-{Policy GUID}-PolicyInfo-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-OmaUri-End -->
Value type is bool. Supported values are as follows: <!-- Device-Policies-{Policy GUID}-PolicyInfo-Description-Begin -->
<!-- Description-Source-DDF -->
Information Describing the Policy indicated by the GUID.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Description-End -->
- True—Indicates that the policy is loaded by the enforcement engine and is in effect on a system. <!-- Device-Policies-{Policy GUID}-PolicyInfo-Editable-Begin -->
- False—Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value. <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Editable-End -->
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-isdeployed"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** <!-- Device-Policies-{Policy GUID}-PolicyInfo-DFProperties-Begin -->
This node specifies whether a policy is deployed on the system and is present on the physical machine. **Description framework properties**:
Scope is dynamic. Supported operation is Get. | Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-DFProperties-End -->
Value type is bool. Supported values are as follows: <!-- Device-Policies-{Policy GUID}-PolicyInfo-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Examples-End -->
- True—Indicates that the policy is deployed on the system and is present on the physical machine. <!-- Device-Policies-{Policy GUID}-PolicyInfo-End -->
- False—Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-isauthorized"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** <!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Begin -->
This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system. ##### Policies/{Policy GUID}/PolicyInfo/FriendlyName
Scope is dynamic. Supported operation is Get. <!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Applicability-End -->
Value type is bool. Supported values are as follows: <!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/FriendlyName
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-OmaUri-End -->
- True—Indicates that the policy is authorized to be loaded by the enforcement engine on the system. <!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Description-Begin -->
- False—Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value. <!-- Description-Source-DDF -->
The FriendlyName of the Policy Indicated by the Policy GUID.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/IsAuthorized
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsAuthorized
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-Description-Begin -->
<!-- Description-Source-DDF -->
Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Supported values are as follows:
- True: Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
- False: Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | bool |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsAuthorized-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/IsBasePolicy
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsBasePolicy
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-Description-Begin -->
<!-- Description-Source-DDF -->
TRUE/FALSE if the Policy is a Base Policy versus a Supplemental Policy.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | bool |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsBasePolicy-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/IsDeployed
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsDeployed
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-Description-Begin -->
<!-- Description-Source-DDF -->
Whether the Policy indicated by the GUID is deployed on the system (on the physical machine).
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Supported values are as follows:
- True: Indicates that the policy is deployed on the system and is present on the physical machine.
- False: Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | bool |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsDeployed-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/IsEffective
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsEffective
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-Description-Begin -->
<!-- Description-Source-DDF -->
Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect).
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Supported values are as follows:
- True: Indicates that the policy is loaded by the enforcement engine and is in effect on a system.
- False: Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | bool |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsEffective-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/IsSystemPolicy
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsSystemPolicy
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-Description-Begin -->
<!-- Description-Source-DDF -->
TRUE/FALSE if the Policy is a System Policy, that is a policy managed by Microsoft as part of the OS.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | bool |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/Status
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/Status
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Description-Begin -->
<!-- Description-Source-DDF -->
The Current Status of the Policy Indicated by the Policy GUID.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Default value is 0, which indicates that the policy status is `OK`.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/Version
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/Version
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-Description-Begin -->
<!-- Description-Source-DDF -->
Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Version-End -->
<!-- Device-Tokens-Begin -->
## Tokens
<!-- Device-Tokens-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Tokens-Applicability-End -->
<!-- Device-Tokens-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Tokens
```
<!-- Device-Tokens-OmaUri-End -->
<!-- Device-Tokens-Description-Begin -->
<!-- Description-Source-DDF -->
Beginning of a Subtree that contains all tokens.
<!-- Device-Tokens-Description-End -->
<!-- Device-Tokens-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Tokens-Editable-End -->
<!-- Device-Tokens-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
<!-- Device-Tokens-DFProperties-End -->
<!-- Device-Tokens-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Tokens-Examples-End -->
<!-- Device-Tokens-End -->
<!-- Device-Tokens-{ID}-Begin -->
### Tokens/{ID}
<!-- Device-Tokens-{ID}-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Tokens-{ID}-Applicability-End -->
<!-- Device-Tokens-{ID}-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Tokens/{ID}
```
<!-- Device-Tokens-{ID}-OmaUri-End -->
<!-- Device-Tokens-{ID}-Description-Begin -->
<!-- Description-Source-DDF -->
Arbitrary ID used to differentiate tokens.
<!-- Device-Tokens-{ID}-Description-End -->
<!-- Device-Tokens-{ID}-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Tokens-{ID}-Editable-End -->
<!-- Device-Tokens-{ID}-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
| Dynamic Node Naming | UniqueName: The ApplicationControl CSP enforces that the "ID" segment of a given token URI is unique. |
<!-- Device-Tokens-{ID}-DFProperties-End -->
<!-- Device-Tokens-{ID}-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Tokens-{ID}-Examples-End -->
<!-- Device-Tokens-{ID}-End -->
<!-- Device-Tokens-{ID}-Token-Begin -->
#### Tokens/{ID}/Token
<!-- Device-Tokens-{ID}-Token-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Tokens-{ID}-Token-Applicability-End -->
<!-- Device-Tokens-{ID}-Token-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Tokens/{ID}/Token
```
<!-- Device-Tokens-{ID}-Token-OmaUri-End -->
<!-- Device-Tokens-{ID}-Token-Description-Begin -->
<!-- Description-Source-DDF -->
The token binary encoded as base64. Supported value is a binary file, obtained from the OneCoreDeviceUnlockService.
<!-- Device-Tokens-{ID}-Token-Description-End -->
<!-- Device-Tokens-{ID}-Token-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Tokens-{ID}-Token-Editable-End -->
<!-- Device-Tokens-{ID}-Token-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | b64 |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Tokens-{ID}-Token-DFProperties-End -->
<!-- Device-Tokens-{ID}-Token-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Tokens-{ID}-Token-Examples-End -->
<!-- Device-Tokens-{ID}-Token-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Begin -->
#### Tokens/{ID}/TokenInfo
<!-- Device-Tokens-{ID}-TokenInfo-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Tokens-{ID}-TokenInfo-Applicability-End -->
<!-- Device-Tokens-{ID}-TokenInfo-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo
```
<!-- Device-Tokens-{ID}-TokenInfo-OmaUri-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Description-Begin -->
<!-- Description-Source-DDF -->
Information Describing the Token indicated by the corresponding ID.
<!-- Device-Tokens-{ID}-TokenInfo-Description-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Tokens-{ID}-TokenInfo-Editable-End -->
<!-- Device-Tokens-{ID}-TokenInfo-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
<!-- Device-Tokens-{ID}-TokenInfo-DFProperties-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Tokens-{ID}-TokenInfo-Examples-End -->
<!-- Device-Tokens-{ID}-TokenInfo-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Status-Begin -->
##### Tokens/{ID}/TokenInfo/Status
<!-- Device-Tokens-{ID}-TokenInfo-Status-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Tokens-{ID}-TokenInfo-Status-Applicability-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Status-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo/Status
```
<!-- Device-Tokens-{ID}-TokenInfo-Status-OmaUri-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Status-Description-Begin -->
<!-- Description-Source-DDF -->
The Current Status of the Token Indicated by the Token ID.
<!-- Device-Tokens-{ID}-TokenInfo-Status-Description-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Status-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Tokens-{ID}-TokenInfo-Status-Editable-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Status-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Get |
<!-- Device-Tokens-{ID}-TokenInfo-Status-DFProperties-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Status-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Tokens-{ID}-TokenInfo-Status-Examples-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Status-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Type-Begin -->
##### Tokens/{ID}/TokenInfo/Type
<!-- Device-Tokens-{ID}-TokenInfo-Type-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Tokens-{ID}-TokenInfo-Type-Applicability-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Type-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo/Type
```
<!-- Device-Tokens-{ID}-TokenInfo-Type-OmaUri-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Type-Description-Begin -->
<!-- Description-Source-DDF -->
The Type of Token Indicated by the Token ID.
<!-- Device-Tokens-{ID}-TokenInfo-Type-Description-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Type-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Tokens-{ID}-TokenInfo-Type-Editable-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Type-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Get |
<!-- Device-Tokens-{ID}-TokenInfo-Type-DFProperties-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Type-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Tokens-{ID}-TokenInfo-Type-Examples-End -->
<!-- Device-Tokens-{ID}-TokenInfo-Type-End -->
<!-- ApplicationControl-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
## IsAuthorized, IsDeployed, and IsEffective values
The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes: The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes:
|IsAuthorized | IsDeployed | IsEffective | Resultant | | IsAuthorized | IsDeployed | IsEffective | Resultant |
|------------ | ---------- | ----------- | --------- | |--------------|------------|-------------|-----------------------------------------------|
|True|True|True|Policy is currently running and is in effect.| | True | True | True | Policy is currently running and is in effect. |
|True|True|False|Policy requires a reboot to take effect.| | True | True | False | Policy requires a reboot to take effect. |
|True|False|True|Policy requires a reboot to unload from CI.| | True | False | True | Policy requires a reboot to unload from CI. |
|False|True|True|Not Reachable.| | False | True | True | Not Reachable. |
|True|False|False|*Not Reachable.| | True | False | False | *Not Reachable. |
|False|True|False|*Not Reachable.| | False | True | False | *Not Reachable. |
|False|False|True|Not Reachable.| | False | False | True | Not Reachable. |
|False|False|False|*Not Reachable.| | False | False | False | *Not Reachable. |
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail. \* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-status"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**
This node specifies whether the deployment of the policy indicated by the GUID was successful.
Scope is dynamic. Supported operation is Get.
Value type is integer. Default value is 0 = OK.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-friendlyname"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName**
This node provides the friendly name of the policy indicated by the policy GUID.
Scope is dynamic. Supported operation is Get.
Value type is char.
## Microsoft Intune Usage Guidance ## Microsoft Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
@ -164,7 +802,7 @@ In order to use the ApplicationControl CSP without using Intune, you must:
Below is a sample certutil invocation: Below is a sample certutil invocation:
```console ```cmd
certutil -encode WinSiPolicy.p7b WinSiPolicy.cer certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
``` ```
@ -242,15 +880,15 @@ Perform a GET using a deployed policy's GUID to interrogate/inspect the policy i
The following table displays the result of Get operation on different nodes: The following table displays the result of Get operation on different nodes:
|Nodes | Get Results| | Nodes | Get Results |
|------------- | ------| |---------------------------------------------------------------------------------|----------------------------------------|
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy|raw p7b| | ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy | raw p7b |
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version|Policy version| | ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version | Policy version |
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective|Is the policy in effect| | ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective | Is the policy in effect |
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed|Is the policy on the system| | ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed | Is the policy on the system |
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized|Is the policy authorized on the system| | ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized | Is the policy authorized on the system |
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful| | ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status | Was the deployment successful |
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy| | ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName | Friendly name per the policy |
An example of Get command is: An example of Get command is:
@ -328,7 +966,10 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa
```powershell ```powershell
Get-CimInstance -Namespace $namespace -ClassName $policyClassName Get-CimInstance -Namespace $namespace -ClassName $policyClassName
``` ```
<!-- ApplicationControl-CspMoreInfo-End -->
<!-- ApplicationControl-End -->
## Related articles ## Related articles
[Configuration service provider reference](index.yml) [Configuration service provider reference](configuration-service-provider-reference.md)