deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Corrected GUID and KEY info in this doc

Browse Source 
I also edited for grammar and format.
This commit is contained in:
Kim Klein
2021-09-07 16:04:12 -07:00
parent 36b8cad96b
commit 7e6cb0a4b5
1 changed files with 21 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
View File

@ -48,19 +48,19 @@ Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC)
### Get COM object GUID
Get GUID of application to allow in one of the following ways:
- Finding block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) and extracting GUID
- Creating audit policy (using New-CIPolicy Audit), potentially with specific provider, and use info from block events to get GUID
- Finding a block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script), and extracting GUID
- Creating an audit policy (using New-CIPolicy Audit), potentially with a specific provider, and use the info from the block events to get the GUID
### Author policy setting to allow or deny COM object GUID
Three elements:
- Provider: platform on which code is running (values are Powershell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”)
- Key: GUID for the program you with to run, in the format Key="{33333333-4444-4444-1616-161616161616}"
- Key: GUID for the program you wish to run, in the format Key="{33333333-4444-4444-1616-161616161616}"
- ValueName: needs to be set to "EnterpriseDefinedClsId"
One attribute:
- Value: needs to be “true” for allow and “false” for deny
- Note that deny only works in base policies, not supplemental
- Value: needs to be “true” for allow and “false” for deny<br/>
**Note**: Deny only works in base policies, not supplemental policies
- The setting needs to be placed in the order of ASCII values (first by Provider, then Key, then ValueName)
### Examples
@ -98,17 +98,17 @@ Example 3: Allows a specific COM object to register in PowerShell
Given the following example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
Log Name: Microsoft-Windows-AppLocker/MSI and Script
Source: Microsoft-Windows-AppLocker
Date: 11/11/2020 1:18:11 PM
Event ID: 8036
Task Category: None
Level: Error
Keywords:
User: S-1-5-21-3340858017-3068726007-3466559902-3647
Computer: contoso.com
Description:
{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
Log Name: Microsoft-Windows-AppLocker/MSI and Script<br/>
Source: Microsoft-Windows-AppLocker<br/>
Date: 11/11/2020 1:18:11 PM<br/>
Event ID: 8036<br/>
Task Category: None<br/>
Level: Error<br/>
Keywords<br/>
User: S-1-5-21-3340858017-3068726007-3466559902-3647<br/>
Computer: contoso.com<br/>
Description: "{f8d253d9-89a4-4daa-87b6-1168369f0b21}" was prevented from running due to Config CI policy.<br/>
Event XML:
@ -122,7 +122,7 @@ Event XML:
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-11T19:18:11.4029179Z" />
<TimeCreated SystemTime="2020-11-11T13:18:11.4029179Z" />
<EventRecordID>819347</EventRecordID>
<Correlation ActivityID="{61e3e871-adb0-0047-c9cc-e761b0add601}" />
<Execution ProcessID="21060" ThreadID="23324" />
@ -132,7 +132,7 @@ Event XML:
</System>
<EventData>
<Data Name="IsApproved">false</Data>
<Data Name="CLSID">{f8d253d9-89a4-4daa-87b6-1168369f0b21}</Data>
<Data Name="CLSID">"{f8d253d9-89a4-4daa-87b6-1168369f0b21}"</Data>
</EventData>
</Event>
```
@ -143,14 +143,14 @@ To add this CLSID to the existing policy, use the following steps:
2. Copy and edit this command, then run it from the admin PowerShell ISE. Consider the policy name to be `WDAC_policy.xml`.
```PowerShell
PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath <path to policy xml>\WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean
PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath <path to policy xml>\WDAC_policy.xml -Key "{f8d253d9-89a4-4daa-87b6-1168369f0b21}" -Provider WSH -Value true -ValueName EnterpriseDefinedClsId -ValueType Boolean
```
Once the command has been run, you will find that the following section is added to the policy XML.
```XML
<Settings>
<Setting Provider="WSH" Key="8856f961-340a-11d0-a96b-00c04fd705a2" ValueName="EnterpriseDefinedClsId">
<Setting Provider="WSH" Key="{f8d253d9-89a4-4daa-87b6-1168369f0b21}" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>true</Boolean>
</Value>