deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 23:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

24538295 - Adding CI Policy Command Docs

Browse Source
This commit is contained in:
valemieux 2022-08-08 12:29:46 -07:00
parent a48cc9fe2d
commit 7d9e4abd38
2 changed files with 194 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -86,6 +86,8 @@
href: merge-windows-defender-application-control-policies.md href: merge-windows-defender-application-control-policies.md
- name: Enforce WDAC policies - name: Enforce WDAC policies
href: enforce-windows-defender-application-control-policies.md href: enforce-windows-defender-application-control-policies.md
- name: Code Integrity Policy, Token, and Miscellaneous Commands
href: code-integrity-policy-commands.md
- name: Use code signing to simplify application control for classic Windows applications - name: Use code signing to simplify application control for classic Windows applications
href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
items: items:

192
windows/security/threat-protection/windows-defender-application-control/code-integrity-policy-commands.md Normal file
View File

@ -0,0 +1,192 @@
---
title: CI Policy, Token, and Miscellaneous Commands
description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands.
author: valemieux
ms.author: v-alemieux
ms.service: WDAC
ms.topic: how-to
ms.date: 08/07/2022
ms.custom: template-how-to
---
# CIPolicyCommands
Generates Policy Commands, Token Commands, and Miscellaneous Commands for user mode code and drivers.
# Policy Commands
| Command:| --update-policy /Path/To/Policy/File |
| Description: | Add or update a policy on the current system |
| Alias: | -up |
| Command:| --remove-policy PolicyGUID |
| Description: | Remove a policy indicated by PolicyGUID from the system |
| Alias: | -rp |
| Command:| --list-policies |
| Description: | Dump information about all policies on the system, whether they be active or not |
| Alias: | -lp |
# Token Commands
| Command:| --add-token Path/To/Token/File [--token-id ID] |
| Description: | Deploy a token onto the current system, with an optional specific ID. |
| Alias: | -at |
>[!NOTE] If [ID] is specified, a pre-existing token with [ID] should not exist.
| Command:| --remove-token ID |
| Description: | Remove a Token indicated by ID from the system. |
| Alias: | -rt |
| Command:| --list-tokens |
| Description: | Dump information about all tokens on the system |
| Alias: | -lt |
# Miscellaneous Commands
| Command:| --device-id |
| Description: | Dump the Code Integrity Device Id |
| Alias: | -id |
| Command:| --refresh |
| Description: | Attempt to Refresh CI Policies |
| Alias: | -r |
| Command:| --help |
| Description: | Display help |
| Alias: | -h |
#Examples
#Example 1: Update Policy/Deploy
Extract BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip into C:\windows\system32
```powershell```
PS C:\Users\[USER] cd \windows\system32
PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up
C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip
Usage: CiTool.exe COMMAND <Command-Options> [-json]
Commands:
----------------------------- Policy Commands ---------------------------------
--update-policy /Path/To/Policy/File
Add or update a policy on the current system
aliases: -up
--remove-policy PolicyGUID
Remove a policy indicated by PolicyGUID from the system
aliases: -rp
--list-policies
Dump information about all policies on the system, whether they be active or not
aliases: -lp
----------------------------- Token Commands ---------------------------------
--add-token Path/To/Token/File [--token-id ID]
Deploy a token onto the current system, with an optional specific ID
If [ID] is specified, a pre-existing token with [ID] should not exist.
aliases:-at
--remove-token ID
Remove a Token indicated by ID from the system.
aliases: -rt
--list-tokens
Dump information about all tokens on the system
aliases: -lt
----------------------------- Misc Commands ---------------------------------
--device-id
Dump the Code Integrity Device Id
aliases: -id
--refresh
Attempt to Refresh CI Policies
aliases: -r
--help
Display this message
aliases: -h
----------------------------- Global Flags---------------------------------
-json
Format output as json and suppress input
```
#Example 2: Refresh the policy
```powershell```
PS C:\Users\[USER] cd \windows\system32
PS C:\Windows\System32>.\CITool.exe --refresh
Operation Successful
```
#Example 3: Remove the policy
```powershell```
PS C:\Users\[USER] cd \windows\system32
PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B}
Usage: CiTool.exe COMMAND <Command-Options> [-json]
Commands:
----------------------------- Policy Commands ---------------------------------
--update-policy /Path/To/Policy/File
Add or update a policy on the current system
aliases: -up
--remove-policy PolicyGUID
Remove a policy indicated by PolicyGUID from the system
aliases: -rp
--list-policies
Dump information about all policies on the system, whether they be active or not
aliases: -lp
----------------------------- Token Commands ---------------------------------
--add-token Path/To/Token/File [--token-id ID]
Deploy a token onto the current system, with an optional specific ID
If [ID] is specified, a pre-existing token with [ID] should not exist.
aliases:-at
--remove-token ID
Remove a Token indicated by ID from the system.
aliases: -rt
--list-tokens
Dump information about all tokens on the system
aliases: -lt
----------------------------- Misc Commands ---------------------------------
--device-id
Dump the Code Integrity Device Id
aliases: -id
--refresh
Attempt to Refresh CI Policies
aliases: -r
--help
Display this message
aliases: -h
----------------------------- Global Flags---------------------------------
-json
Format output as json and suppress input
Press Enter to Exit
```
#Example 4: Display help
```powershell```
PS C:\Users\[USER] cd \windows\system32
PS C:\windows\system32> .\CITool.exe -h
----------------------------- Policy Commands ---------------------------------
--update-policy /Path/To/Policy/File
Add or update a policy on the current system
aliases: -up
--remove-policy PolicyGUID
Remove a policy indicated by PolicyGUID from the system
aliases: -rp
--list-policies
Dump information about all policies on the system, whether they be active or not
aliases: -lp
----------------------------- Token Commands ---------------------------------
--add-token Path/To/Token/File [--token-id ID]
Deploy a token onto the current system, with an optional specific ID
If [ID] is specified, a pre-existing token with [ID] should not exist.
aliases:-at
--remove-token ID
Remove a Token indicated by ID from the system.
aliases: -rt
--list-tokens
Dump information about all tokens on the system
aliases: -lt
----------------------------- Misc Commands ---------------------------------
--device-id
Dump the Code Integrity Device Id
aliases: -id
--refresh
Attempt to Refresh CI Policies
aliases: -r
--help
Display this message
aliases: -h
```