From 725184189bd7791f6d67f200def064e03c0436fb Mon Sep 17 00:00:00 2001 From: Anders Ahl <58516456+GenerAhl@users.noreply.github.com> Date: Wed, 14 Sep 2022 10:15:13 +0200 Subject: [PATCH 1/3] Update deploy-windows-defender-application-control-policies-using-intune.md Linked to the ConvertFrom-CIPolicy cmdlet for convenience Updated the "Data type" to reflect the name in Intune which is "Base64 (file)" --- ...-defender-application-control-policies-using-intune.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 407a00c553..039e3db596 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -61,13 +61,13 @@ The steps to use Intune's custom OMA-URI functionality are: 1. Know a generated policy's GUID, which can be found in the policy xml as `` -2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2022-ps) cmdlet in order to be deployed. The binary policy may be signed or unsigned. 3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). 4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy - - **Data type**: Base64 + - **Data type**: Base64 (file) - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. > [!div class="mx-imgBorder"] @@ -86,13 +86,13 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: -1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2022-ps) cmdlet in order to be deployed. The binary policy may be signed or unsigned. 2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). 3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy) - - **Data type**: Base64 + - **Data type**: Base64 (file) - **Certificate file**: upload your binary format policy file > [!NOTE] From 0400fe5cdc1ace381473eaa3cee5a81fa48e4cbb Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 14 Sep 2022 08:17:24 -0700 Subject: [PATCH 2/3] fix links --- ...plication-control-policies-using-intune.md | 22 +++++++------------ 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 039e3db596..99ba2124a5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -1,21 +1,15 @@ --- title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows) description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm -ms.author: dansimp -manager: dansimp +ms.author: vinpa +manager: aaroncz ms.date: 06/27/2022 -ms.technology: windows-sec --- # Deploy WDAC policies using Mobile Device Management (MDM) @@ -61,12 +55,12 @@ The steps to use Intune's custom OMA-URI functionality are: 1. Know a generated policy's GUID, which can be found in the policy xml as `` -2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2022-ps) cmdlet in order to be deployed. The binary policy may be signed or unsigned. +2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned. 3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). 4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy + - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy` - **Data type**: Base64 (file) - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. @@ -86,12 +80,12 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: -1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2022-ps) cmdlet in order to be deployed. The binary policy may be signed or unsigned. +1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned. 2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). 3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy) + - **OMA-URI**: `./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy` - **Data type**: Base64 (file) - **Certificate file**: upload your binary format policy file From e7ab0308fe3c1f86d62d9a6c54d0827e1a052171 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 14 Sep 2022 08:37:20 -0700 Subject: [PATCH 3/3] update metadata --- ...windows-defender-application-control-policies-using-intune.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 99ba2124a5..9db5920c58 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -10,6 +10,7 @@ ms.reviewer: isbrahm ms.author: vinpa manager: aaroncz ms.date: 06/27/2022 +ms.topic: how-to --- # Deploy WDAC policies using Mobile Device Management (MDM)