diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index dbbecb3b74..881b4476dc 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -80,6 +80,7 @@ This node specifies whether the policy is authorized to be loaded by the enforce Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: + - True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system. - False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. @@ -114,22 +115,38 @@ Value type is char. ## Usage guidance -To use ApplicationControl CSP, you must: -- Know a generated policy’s GUID, which can be found in the policy xml as ``. -- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +> ![Note] +> If using Intune standalone or for hybrid management with Configuration Manager (SCCM) through Microsoft Endpoint Manager, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) for more information on deploying policies with ApplicationControl CSP. Microsoft Intune handles the creation of a policy node and does all the below steps to deploy policies on your behalf, so you shouldn't do any of the below steps if using Intune to leverage ApplicationControl CSP. -If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy via uploading the binary file. +In order to use ApplicationControl CSP, you must: + +- Know a generated policy’s GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. +- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +- Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. + +Here is a sample certutil invocation: + +```powershell +certutil -encode WinSiPolicy.p7b WinSiPolicy.cer +``` + +An alternative to using certutil would be to use the following PowerShell invocation: + +```powershell +[Convert]::toBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) +``` ### Deploy policies -To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. -To deploy base policy and supplemental policies: -- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. +In order to deploy a new base policy or supplemental policy using the CSP: + +- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. Refer to the the Format section in the Example 1 below. - Repeat for each base or supplemental policy (with its own GUID and data). -The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy. Because the supplemental policy already specifies the base policy it supplements, that does not need to be repeated in the ADD. **Example 1: Add first base policy** + ```xml 1 @@ -144,7 +161,9 @@ The following example shows the deployment of two base policies and a supplement ``` + **Example 2: Add second base policy** + ```xml 1 @@ -159,7 +178,9 @@ The following example shows the deployment of two base policies and a supplement ``` + **Example 3: Add supplemental policy** + ```xml 1 @@ -174,6 +195,7 @@ The following example shows the deployment of two base policies and a supplement ``` + ### Get policies Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it. @@ -191,6 +213,7 @@ The following table displays the result of Get operation on different nodes: |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy| The following is an example of Get command: + ```xml 1 @@ -203,17 +226,20 @@ The following is an example of Get command: ``` ### Delete policies -To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**. + +To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy**. > [!Note] -> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy. - +> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy** is not sufficient to delete a signed policy. + To delete a signed policy: + 1. Replace it with a signed update allowing unsigned policy. 2. Deploy another update with unsigned policy. 3. Perform delete. - + The following is an example of Delete command: + ```xml 1