deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

AppLocker CSP forces reboot during OOBE

Browse Source
This commit is contained in:
brbrahm
2020-04-29 16:26:13 -07:00
parent 5fbaa60557
commit 7868aebb5b
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/mdm/applocker-csp.md
View File

@ -34,6 +34,8 @@ Defines restrictions for applications.
>
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
> [!NOTE]
> Deploying policies via the AppLocker CSP will force a reboot during OOBE.
Additional information:
@ -1754,7 +1756,7 @@ In this example, Contoso is the node name. We recommend using a GUID for this no
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="WINWORD.EXE">
<BinaryVersionRange LowSection="16.0.10336.20000" HighSection="*" />
</FilePublisherCondition>
</Exceptions>
</Exceptions>
</FilePublisherRule>
<FilePublisherRule Id="de9f3461-6856-405d-9624-a80ca701f6cb" Name="MICROSOFT OFFICE 2003, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>

7
windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
View File

@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2020
ms.date: 04/29/2020
---
# Deploy Windows Defender Application Control policies by using Microsoft Intune
@ -52,7 +52,7 @@ Setting "Trust apps with good reputation" to enabled is equivalent to adding [Op
### For 1903+ systems
The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are:
1. Know a generated policys GUID, which can be found in the policy xml as `<PolicyID>`
1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>`
2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
@ -79,3 +79,6 @@ The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocke
> [!NOTE]
> Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy.
> [!NOTE]
> Deploying policies via the AppLocker CSP will force a reboot during OOBE.