mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-24 06:43:38 +00:00
Merge branch 'master' into aljupudi-w11defender-branch01
This commit is contained in:
Alekhya Jupudi
GitHub
@ -37,7 +37,7 @@ Refer to the below video for an overview and brief demo.
|
||||
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
|
||||
|
||||
## Policy Authorization Process
|
||||
|
||||
|
||||
The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly.
|
||||
|
||||
1. Generate a supplemental policy with WDAC tooling
|
||||
@ -89,11 +89,11 @@ The general steps for expanding the S mode base policy on your Intune-managed de
|
||||
> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number.
|
||||
|
||||
## Standard Process for Deploying Apps through Intune
|
||||
|
||||
|
||||
Refer to [Intune Standalone - Win32 app management](/intune/apps-win32-app-management) for guidance on the existing procedure of packaging signed catalogs and app deployment.
|
||||
|
||||
## Optional: Process for Deploying Apps using Catalogs
|
||||
|
||||
|
||||
Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well.
|
||||
|
||||
Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
|
||||
|
||||
@ -61,7 +61,7 @@ AppLocker can be configured to display the default message but with a custom URL
|
||||
|
||||
The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link.
|
||||
|
||||
|
||||
|
||||
|
||||
For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md).
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ Because a computer's effective policy includes rules from each linked GPO, dupli
|
||||
|
||||
The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs.
|
||||
|
||||
|
||||
|
||||
|
||||
In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced.
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ To successfully deploy AppLocker policies, you need to identify your application
|
||||
|
||||
The following diagram shows the main points in the design, planning, and deployment process for AppLocker.
|
||||
|
||||
|
||||
|
||||
|
||||
## Resources to support the deployment process
|
||||
|
||||
|
||||
@ -46,7 +46,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
|
||||
|
||||
**Figure 1. Exceptions to the deployed WDAC policy** <br>
|
||||
|
||||
|
||||
|
||||
|
||||
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
|
||||
|
||||
|
||||
@ -45,7 +45,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
|
||||
2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
|
||||
|
||||
**Figure 1. Exceptions to the deployed WDAC policy**
|
||||
|
||||
|
||||
|
||||
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
|
||||
|
||||
|
||||
@ -39,7 +39,7 @@ ECDSA is not supported.
|
||||
|
||||
2. When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 1. Manage the certificate templates
|
||||
|
||||
@ -55,7 +55,7 @@ ECDSA is not supported.
|
||||
|
||||
8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 2. Select constraints on the new template
|
||||
|
||||
@ -71,7 +71,7 @@ When this certificate template has been created, you must publish it to the CA p
|
||||
|
||||
1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 3. Select the new certificate template to issue
|
||||
|
||||
@ -89,7 +89,7 @@ Now that the template is available to be issued, you must request one from the c
|
||||
|
||||
4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 4. Get more information for your code signing certificate
|
||||
|
||||
|
||||
@ -142,7 +142,7 @@ To sign the existing catalog file, copy each of the following commands into an e
|
||||
|
||||
4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 1. Verify that the signing certificate exists
|
||||
|
||||
@ -182,7 +182,7 @@ To simplify the management of catalog files, you can use Group Policy preference
|
||||
> [!NOTE]
|
||||
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate).
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 2. Create a new GPO
|
||||
|
||||
@ -192,7 +192,7 @@ To simplify the management of catalog files, you can use Group Policy preference
|
||||
|
||||
5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 3. Create a new file
|
||||
|
||||
@ -202,7 +202,7 @@ To simplify the management of catalog files, you can use Group Policy preference
|
||||
|
||||
7. To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 4. Set the new file properties
|
||||
|
||||
@ -235,7 +235,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c
|
||||
|
||||
3. Name the package, set your organization as the manufacturer, and select an appropriate version number.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 5. Specify information about the new package
|
||||
|
||||
@ -257,7 +257,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c
|
||||
|
||||
- From the **Drive mode** list, select **Runs with UNC name**.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 6. Specify information about the standard program
|
||||
|
||||
@ -285,7 +285,7 @@ After you create the deployment package, deploy it to a collection so that the c
|
||||
|
||||
- Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 7. Specify the user experience
|
||||
|
||||
@ -310,13 +310,13 @@ When catalog files have been deployed to the computers within your environment,
|
||||
|
||||
3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 8. Select custom settings
|
||||
|
||||
4. In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 9.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 9. Set the software inventory
|
||||
|
||||
@ -329,7 +329,7 @@ When catalog files have been deployed to the computers within your environment,
|
||||
|
||||
7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 10. Set the path properties
|
||||
|
||||
|
||||
@ -43,7 +43,7 @@ To deploy and manage a WDAC policy with Group Policy:
|
||||
> [!NOTE]
|
||||
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
|
||||
|
||||
|
||||
|
||||
|
||||
3. Name the new GPO. You can choose any name.
|
||||
|
||||
@ -51,7 +51,7 @@ To deploy and manage a WDAC policy with Group Policy:
|
||||
|
||||
5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
|
||||
|
||||
@ -60,7 +60,7 @@ To deploy and manage a WDAC policy with Group Policy:
|
||||
> [!NOTE]
|
||||
> This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
|
||||
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
|
||||
|
||||
@ -71,7 +71,7 @@ The steps to use Intune's custom OMA-URI functionality are:
|
||||
- **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
> 
|
||||
|
||||
> [!NOTE]
|
||||
> For the _Policy GUID_ value, do not include the curly brackets.
|
||||
|
||||
@ -45,7 +45,7 @@ Most WDAC policies will evolve over time and proceed through a set of identifiab
|
||||
6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
|
||||
7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
|
||||
|
||||
|
||||
|
||||
|
||||
### Keep WDAC policies in a source control or document management solution
|
||||
|
||||
|
||||
@ -43,7 +43,7 @@ Each of the template policies has a unique set of policy allow list rules that w
|
||||
|
||||
More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md).
|
||||
|
||||
|
||||
|
||||
|
||||
Once the base template is selected, give the policy a name and choose where to save the application control policy on disk.
|
||||
|
||||
@ -69,7 +69,7 @@ A description of each policy rule, beginning with the left-most column, is provi
|
||||
| **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
> 
|
||||
|
||||
### Advanced Policy Rules Description
|
||||
|
||||
@ -84,7 +84,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru
|
||||
| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
|
||||
| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. |
|
||||
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default.
|
||||
@ -105,7 +105,7 @@ The Publisher file rule type uses properties in the code signing certificate cha
|
||||
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Filepath Rules
|
||||
|
||||
@ -123,7 +123,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
|
||||
| **Internal name** | Specifies the internal name of the binary. |
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
> 
|
||||
|
||||
### File Hash Rules
|
||||
|
||||
|
||||
@ -33,15 +33,15 @@ Prerequisite information about application control can be accessed through the [
|
||||
|
||||
Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation.
|
||||
|
||||
|
||||
|
||||
|
||||
If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.
|
||||
|
||||
|
||||
|
||||
|
||||
Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md).
|
||||
|
||||
|
||||
|
||||
|
||||
## Configuring Policy Rules
|
||||
|
||||
@ -60,7 +60,7 @@ There are only three policy rules that can be configured by the supplemental pol
|
||||
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
|
||||
| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
|
||||
|
||||
|
||||
|
||||
|
||||
## Creating custom file rules
|
||||
|
||||
@ -78,7 +78,7 @@ The Publisher file rule type uses properties in the code signing certificate cha
|
||||
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Filepath Rules
|
||||
|
||||
@ -96,7 +96,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
|
||||
| **Internal name** | Specifies the internal name of the binary. |
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### File Hash Rules
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShe
|
||||
|
||||
The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules).
|
||||
|
||||
|
||||
|
||||
|
||||
A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules).
|
||||
|
||||
@ -50,7 +50,7 @@ Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more
|
||||
|
||||
The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table.
|
||||
|
||||
|
||||
|
||||
|
||||
**Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2.
|
||||
|
||||
|
||||
@ -30,4 +30,4 @@ Select the policies you wish to merge into one policy using the `+ Add Policy` b
|
||||
|
||||
Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy.
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user