deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Initial commit of MEMCM doc supplement work

Browse Source
This commit is contained in:
Jordan Geurten
2022-06-23 15:06:05 -04:00
parent 64234d33c5
commit 6038a000bc
21 changed files with 61 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
View File

@ -41,8 +41,59 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10
Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
### Create a WDAC Policy in MEMCM
1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy**
![Create a WDAC policy in MEMCM.](../images/memcm/memcm-create-wdac-policy.jpg)
2. Enter the name of the policy > **Next**
3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes**
4. Select the mode which you want the policy to run (Enforcement enabled / Audit Only)
5. Click **Next**
![Create an enforced WDAC policy in MEMCM.](../images/memcm/memcm-create-wdac-policy-2.jpg)
6. Click **Add** to begin creating rules for trusted software
![Create a WDAC path rule in MEMCM.](../images/memcm/memcm-create-wdac-rule.jpg)
7. Select **File** or **Folder** to create a path rule > **Browse**
![Create a WDAC path rule in MEMCM.](../images/memcm/memcm-create-wdac-rule-2.jpg)
8. Select the executable or folder for your path rule > **OK**
![Select the file or folder.](../images/memcm/memcm-create-wdac-rule-3.jpg)
9. Select **OK** to add the rule to the table of trusted files or folder
10. Select **Next** to navigate to the summary page > **Close**
![Confirm the WDAC path rule in MEMCM.](../images/memcm/memcm-confirm-wdac-rule.jpg)
### Deploy the WDAC Policy in MEMCM
1. Right-click the newly created policy > **Deploy Application Control Policy**
![Deploy WDAC via MEMCM.](../images/memcm/memcm-deploy-wdac.jpg)
2. Select **Browse**
![Deploy WDAC via MEMCM.](../images/memcm/memcm-deploy-wdac-2.jpg)
3. Select the Device Collection you created earlier > **OK**
![Select the device collection.](../images/memcm/memcm-deploy-wdac-3.jpg)
4. Change the schedule > **OK**
![Change the WDAC deployment schedule.](../images/memcm/memcm-deploy-wdac-4.jpg)
For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
The entire WDAC in MEMCM Lab Paper is available for download [here](../pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf).
## Deploy custom WDAC policies using Packages/Programs or Task Sequences
Using MEMCM's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.

68
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md Normal file
View File

@ -0,0 +1,68 @@
---
title: Deploy WDAC policies via Group Policy (Windows)
description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2018
ms.technology: windows-sec
---
# Deploy Windows Defender Application Control policies by using Group Policy
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
> [!NOTE]
> Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
Single-policy format WDAC policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
To deploy and manage a WDAC policy with Group Policy:
1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC**
2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.
> [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
![Group Policy Management, create a GPO.](images/dg-fig24-creategpo.png)
3. Name the new GPO. You can choose any name.
4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
![Edit the Group Policy for Windows Defender Application Control.](images/wdac-edit-gp.png)
6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with ContosoPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\ContosoPolicy.bin.
> [!NOTE]
> This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
![Group Policy called Deploy Windows Defender Application Control.](images/dg-fig26-enablecode.png)
> [!NOTE]
> You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy.

103
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md Normal file
View File

@ -0,0 +1,103 @@
---
title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows)
description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 04/29/2020
ms.technology: windows-sec
---
# Deploy WDAC policies using Mobile Device Management (MDM)
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
## Use Intune's built-in policies
Intune's built-in WDAC support allows you to configure Windows client computers to only run:
- Windows components
- 3rd party hardware and software kernel drivers
- Microsoft Store-signed apps
- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
> [!NOTE]
> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
> [!NOTE]
> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP will always request a reboot when applying WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies rebootlessly.
To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windows 10 (and later)](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json).
## Deploy WDAC policies with custom OMA-URI
> [!NOTE]
> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create WDAC policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
### Deploy custom WDAC policies on Windows 10 1903+
Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
The steps to use Intune's custom OMA-URI functionality are:
1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>`
2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
- **Data type**: Base64
- **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
> ![Configure custom WDAC.](images/wdac-intune-custom-oma-uri.png)
> [!NOTE]
> For the _Policy GUID_ value, do not include the curly brackets.
### Remove WDAC policies on Windows 10 1903+
Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable WDAC enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This will prevent anything from being blocked and fully remove the WDAC policy on the next reboot.
### For pre-1903 systems
#### Deploying policies
The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
- **Data type**: Base64
- **Certificate file**: upload your binary format policy file
> [!NOTE]
> Deploying policies via the AppLocker CSP will force a reboot during OOBE.
#### Removing policies
Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy.