deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-03-06 10:40:01 -05:00
parent 1257b116a7
commit 960d72a506
1 changed files with 32 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
education/windows/tutorial-deploy-apps-winse/create-policies.md
View File

@ -9,68 +9,69 @@ appliesto:
# Create additional policies for applications
:::image type="content" source="./images/create-additional-policies.png" alt-text="Diagram showing the three tutorial steps, highlighting the policy creation step." border="false":::
:::image type="content" source="./images/create-policies.png" alt-text="Diagram showing the three tutorial steps, highlighting the policy creation step." border="false":::
Additional policies can be written to allow applications that are [semi-compatible](./validate-apps.md#compatible-apps) or [incompatible](./validate-apps.md#incompatible-apps) with the managed installer.
You can create policies to allow applications that are [semi-compatible](./validate-apps.md#semi-compatible-apps) or [incompatible](./validate-apps.md#incompatible-apps) with the managed installer.
The following table details the two policy types to allow apps to run:
| **Policy type** | **How it works** | **When should I use this policy?** | **Security risk** |
|---|---|---|---|
| WDAC Supplemental policy | Directly allows apps meeting the rule criteria to run | For executables that are blocked by the E-Mode policy (Visible from the Event Viewer in the [CodeIntegrity events](./troubleshoot.md)) | Low |
| WDAC supplemental policy | Allows apps meeting the rule criteria to run | For executables that are blocked by the E-Mode policy. The blocked executable are visible from the Event Viewer in the [CodeIntegrity events](./troubleshoot.md)) | Low |
| AppLocker policy | Sets an app to be considered as a managed installer | Only for executables that do installations or updates which are blocked by the E-Mode policy | High |
> [!NOTE]
> The specifics of the policy you will need to write vary from app to app. Public documentation can help you determine which rules would be useful for your app.
> The specifics of the policy you will need to create vary from app to app. Public documentation can help you determine which rules would be useful for your app.
## WDAC supplemental policies
WDAC supplemental policies can be created and then deployed through Intune.
You can create WDAC supplemental policies and then deploy them through Intune.
To allow apps to install and run, you must write supplemental policies targeting the correct base policy. The base policy that you need to target has a PolicyID of `{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}`.
To allow apps to install and run, you must write supplemental policies targeting the correct base policy. The base policy that you must target has a PolicyID of `{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}`.
### Write a supplemental policy
### Create a supplemental policy for Win32 apps
To write a policy, you can use [audit events][WIN-3], as they allow you to observe the actions that would be blocked by Windows 11 SE. From the audit events, you can create a policy to allow those actions.
There are different ways to write a supplemental policy. The suggested method is to use [audit events][WIN-3], as they allow to observe the actions that would be blocked by Windows 11 SE. From the audit events, you can create a policy to allow those actions.
1. On a **non-Windows SE** device, apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml* which is based on the **Windows 11 SE E-mode** policy:
1. On a **non-Windows SE device**, download, install, and launch the [WDAC Policy Wizard][EXT-1]
1. Apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml* which is based on the **Windows 11 SE E-mode** policy:
- Open the **WDAC Wizard** and select **Policy Editor**
- In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next**
:::image type="content" source="images/wdac-winsepolicy.png" alt-text="WDAC wizard - creation of a policy targeting the base WinSEPolicy.xml policy":::
- Toggle the option for **Audit Mode** and complete the Wizard. Note the location of the .cip and .xml files shown on the final page of the wizard
- From an elevated PowerShell session, run the following command to activate the policy:
```cmd
citool.exe -up \<\*Path to the .cip file\*\>
citool.exe -up <"Path to the .cip file">
```
1. With the *Base audit mode policy* for Windows 11 SE in place:
2. With the *Base audit mode policy* for Windows 11 SE in place:
- Download and run the app install for your app
- Launch the app and exercise the app's capabilities
- Uninstall the app
1. Use the WDAC Wizard to create a policy from audit events:
3. Use the WDAC Wizard to create a policy from audit events:
- Open the **WDAC Wizard** and select **Policy Editor**
- Select **Convert Event Log to a WDAC Policy** then select **Parse Event Log** to parse from the system Event Viewer. Select **Next**
- Review each row in the table and choose the type of rule to create. You may want to sort the table by FileName to group duplicate rows together. You need only create a rule on one entry if the values are all duplicates
- Complete the wizard to generate the policy (this will be a *Base* policy). Note the location of the .xml shown (you will use this in the next step).
- Review each row in the table and choose the type of rule to create. You may want to sort the table by FileName to group duplicate rows together. You need to create a single rule if the values are duplicates
- Complete the wizard to generate the policy. This will be a *Base* policy. Note the location of the .xml shown, as you will use this in the next step.
- Check the event log **AppLocker** > **MSI and Script** for any events
- If any events are shown, you can use the **WDAC Wizard** to edit the policy and add additional rules
- Alternatively, you can save all events to *.evtx* file and create a policy from audit events, but browse for the saved *.evtx* file rather than parsing events from the system Event Viewer
1. Convert the policy created in the previous step to a supplemental policy, specifying the E mode audit policy you created in the first step as its *Base*.
4. Convert the policy created in the previous step to a supplemental policy, specifying the E mode audit policy you created in the first step as its *Base*.
```PowerShell
Set-CiPolicyIdInfo -FilePath \<Path to.xml file from previous step\> -BasePolicyToSupplementPath \<Path to the E mode .xml created in the first step\>
Set-CiPolicyIdInfo -FilePath <Path to.xml file from step #4> -BasePolicyToSupplementPath <Path to the E-Mode .xml created from step #2>
```
1. From an elevated PowerShell session, run the following command to activate the policy:
5. From an elevated PowerShell session, run the following command to activate the policy:
```cmd
citool.exe -up \<Path to the .cip file\>
citool.exe -up <"Path to the .cip file">
```
1. Clear the two event logs:
6. Clear the two event logs:
- **CodeIntegrity** > **Operational**
- **AppLocker** > **MSI and Script**
1. Repeat the app testing from step 2. Repeat these steps as needed until no further events are generated.
1. Once you have a policy that works for your app, reset the supplemental policy's Base policy to the official Windows 11 SE BasePolicyId. From an elevated PowerShell session, run the following command:
7. Repeat the app testing from step 3. Repeat these steps as needed until no further events are generated.
8. Once you have a policy that works for your app, reset the supplemental policy's Base policy to the official Windows 11 SE BasePolicyId. From an elevated PowerShell session, run the following command:
```PowerShell
Set-CiPolicyIdInfo - FilePath <"Path to .xml from step 3"> -SupplementsBasePolicyId "{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}"
@ -89,15 +90,14 @@ For additional information:
- Supplemental Policy creation: [Creating a new Supplemental Policy with the Wizard][WIN-2]
- [WDAC Policy Wizard][EXT-1]
### Write a supplemental policy for UWP LOB apps
### Writing a supplemental policy for a UWP LOB app
UWP apps don't work out-of-box due to the Windows 11 SE E-Mode policy. You can create and deploy a supplemental policy using these steps:
UWP apps don't work out-of-box due to the Windows 11 SE E-Mode policy. A supplemental policy can be created and deployed to allow a Store app to run.
1. On a non-Windows SE device, download, install, and launch the [WDAC Policy Wizard][EXT-1].
1. After launching choose "Policy Creator", then choose to create a Supplemental policy.
1. Choose a policy name and policy file location.
1. To set a Base policy that the supplemental policy will apply to, the WDAC Wizard includes a template policy called WinSEPolicy.xml based on Windows 11 SE E mode:
1. On a **non-Windows SE device**, download, install, and launch the [WDAC Policy Wizard][EXT-1]
1. After launching choose **Policy Creator** > **create a Supplemental policy**
1. Choose a policy name and policy file location
1. To set a Base policy that the supplemental policy will apply to, the WDAC Wizard includes a template policy called **WinSEPolicy.xml based** on Windows 11 SE E-Mode:
- Open the WDAC Wizard and select Policy Editor
- In the Policy Path to Edit field, browse for %ProgramFiles%\WindowsApps\Microsoft.WDAC and select the file called WinSEPolicy.xml. Click the Next button.
1. On Policy Rules, click the Next button.
@ -132,29 +132,6 @@ Here are some general guidelines to follow when writing WDAC supplemental polici
- When a *Publisher* rule is not an option (e.g. when the file is unsigned), use *Hash* as the most restrictive option
- You might have to opt for a *FileAttribute* rule, but it can be easily spoofed
### Review and sign WDAC supplemental policies
THIS PROCESS MUST BE DEFINED
Follow the instructions below when you want to sign and deploy your WDAC supplemental policy.
- Create a supplemental policy with the instructions found above
- Sign the policy
- Deploy the signed policy file via Intune
### Deploy WDAC policies
Policies can be deployed via Intune using a custom OMA-URI.
> [!TIP]
> To prevent these policies from being applied to non-Windows SE devices, you can create and target a group with only Windows 11 SE devices in it, or use assignment filters.
[Deploy WDAC policies using Mobile Device Management][WIN-4]
### Troubleshoot WDAC policies
For information how to troubleshoot WDAC supplemental policies, see [WDAC supplemental policy validation](./troubleshoot.md#wdac-supplemental-policy-validation)
## AppLocker policies
> [!WARNING]
@ -171,38 +148,11 @@ If you want to allow apps to run by setting their installers as managed installe
- [Allow apps deployed with a WDAC managed installer][WIN-6]
- [Microsoft WDAC Wizard][EXT-1]
### Deploy AppLocker policies
Intune doesn't currently offer the option to modify AppLocker policies. The deployment of AppLocker policies can be done using PowerShell scripts deployed via Intune.
You can create a PowerShell script that stores the contents of the policy in a variable, then use the Set-AppLockerPolicy command to merge it in. Here's a sample function that does that:
```PowerShell
function MergeAppLockerPolicy([string]$policyXml)
{
$policyFile = '.\AppLockerPolicy.xml'
$policyXml | Out-File $policyFile
Write-Host "Merging and setting AppLocker policy"
Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
Remove-Item $policyFile
}
```
> **Warning**
>
> Intune deploys a script with the AppLocker policy to set Intune Management Extension as a managed installer on all Windows 11 SE devices enrolled into an Intune EDU tenant. If an EDU customer wishes to deploy their own AppLocker policy to set another Managed Installer (in addition to Intune), please be sure to ensure the `-Merge` parameter is used with `Set-AppLockerPolicy`. This will ensure that it plays well with Intune's AppLocker policy. Without using the `-Merge` parameter when deploying to Windows 11 SE devices, it will result in issues with apps getting tagged properly and their ability to run on impacted devices. Learn more about AppLocker Merge policy: Merge AppLocker policies by using [Set-ApplockerPolicy (Windows) | Microsoft Learn][WIN-7]
Once finished, you can deploy the script via Intune. For more information, see [Add PowerShell scripts to Windows devices in Microsoft Intune][MEM-1].
### Troubleshoot AppLocker policies
For information how to troubleshoot AppLocker policies, see [WDAC supplemental policy validation](./troubleshoot.md#applocker---msi-and-script)
## Next steps
Before moving on to the next section, ensure that you've completed the following tasks:
Before moving on to the next section, ensure that you've completed the following tasks.
If there are any errors, create a WDAC supplemental policy
For a WDAC supplemental policy:
> [!div class="checklist"]
> - Signed .cip .p7b file with Device Guard
@ -210,14 +160,14 @@ If there are any errors, create a WDAC supplemental policy
> - Policy created in Intune and assigned to the correct groups
> - Policy applied in Event Viewer
If there are any errors, create an AppLocker policy
For an AppLocker policy
> [!div class="checklist"]
> - Only applied to an updater or installer
> - Merge option used
> - Policy created in Intune and assigned to the correct groups
Advance to the next article to learn how to troubleshoot common errors when deploying apps with managed installer.
Advance to the next article to learn how to deploy the WDAC supplemental policies or AppLocker policies to Windows 11 SE devices.
> [!div class="nextstepaction"]
> [Next: troubleshoot >](troubleshoot.md)