deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 13:47:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fixed syntax

Browse Source
This commit is contained in:
Justin Hall 2019-05-16 13:38:21 -07:00
parent 3b41700ac3
commit 68ec9c0da4
1 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
View File

@ -53,36 +53,52 @@ Just as there are differences in managing each rule collection, you need to mana
You can use `New-CIPolicyRule -Package $Package -Deny` to block packaged apps: You can use `New-CIPolicyRule -Package $Package -Deny` to block packaged apps:
1. Get the info about an installed package. 1. Get the info about an installed package.
```powershell ```powershell
$package = Get-AppxPackage -name <netflix> $package = Get-AppxPackage -name <netflix>
``` ```
Dependencies field in output is full Package object, can be accessed and passed directly to New-CIPolicyRule. Dependencies field in output is full Package object, can be accessed and passed directly to New-CIPolicyRule.
2. Make a rule. 2. Make a rule.
```powershell ```powershell
$Rule = New-CIPolicyRule -Package $package -deny $Rule = New-CIPolicyRule -Package $package -deny
``` ```
3. Repeat for other packages you want to block using $rule +=…. 3. Repeat for other packages you want to block using $rule +=….
4. Make a policy for just the blocks you created for packages. 4. Make a policy for just the blocks you created for packages.
```powershell ```powershell
New-CIpolicy -rules $rule -f .\policy.xml -u New-CIpolicy -rules $rule -f .\policy.xml -u
``` ```
5. Merge with allow windows policy, or you could also use examplepolicies\AllowAll.xml. 5. Merge with allow windows policy, or you could also use examplepolicies\AllowAll.xml.
```powershell ```powershell
Merge-CIPolicy -PolicyPaths .\policy.xml,C:\windows\Schemas\codeintegrity\examplepolicies\DefaultWindows_Audit.xml -o allowWindowsDenyPackages.xml Merge-CIPolicy -PolicyPaths .\policy.xml,C:\windows\Schemas\codeintegrity\examplepolicies\DefaultWindows_Audit.xml -o allowWindowsDenyPackages.xml
``` ```
6. Disable audit mode. 6. Disable audit mode.
```powershell ```powershell
Set-RuleOption -o 3 -Delete .\allowWindowsDenyPackages.xml Set-RuleOption -o 3 -Delete .\allowWindowsDenyPackages.xml
``` ```
7. Enable invalidate EAs on reboot. 7. Enable invalidate EAs on reboot.
```powershell ```powershell
Set-RuleOption -o 15 .\allowWindowsDenyPackages.xml Set-RuleOption -o 15 .\allowWindowsDenyPackages.xml
``` ```
8. Compile the policy 8. Compile the policy
```powershell ```powershell
ConvertFrom-CIPolicy .\AllowWindowsDenyPackages.xml C:\compiledpolicy.bin ConvertFrom-CIPolicy .\AllowWindowsDenyPackages.xml C:\compiledpolicy.bin
``` ```
9. Install the policy withwout restarting. 9. Install the policy withwout restarting.
```powershell ```powershell
Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = "C:\compiledpolicy.bin"} Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = "C:\compiledpolicy.bin"}
``` ```