From 9686b801df2c66ec2d30f8cc7eb11b09eb182ef3 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Wed, 13 Nov 2019 15:06:38 -0800 Subject: [PATCH] Deploy WDAC with Intune correct usage info Add info to differentiate custom OMA-URI with AppLocker CSP vs ApplicationControl CSP --- ...-defender-application-control-policies-using-intune.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 6a5d1faf03..7b97d2c9fb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -31,11 +31,13 @@ You can use Microsoft Intune to configure Windows Defender Application Control ( Alternately, you can instead choose to configure an Endpoint Protection profile to deploy built-in Intune-managed WDAC policies on pre-1903 systems. Using Endpoint Protection, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. ## Custom OMA-URI profile -To use ApplicationControl CSP through custom OMA-URI, you must: -- Know a generated policy’s GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. +For information on using a custom OMA-URI profile on pre-1903 systems to leverage the AppLocker CSP and deploy custom WDAC policies, refer to [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). + +For 1903+ systems, in order to use ApplicationControl CSP through custom OMA-URI, you must: +- Know a generated policy’s GUID, which can be found in the policy xml as `` - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -If you are using hybrid MDM management with System Center Configuration Manager (SCCM) or using Intune, the steps to use Custom OMA-URI functionality to apply the Code Integrity policy are: +From there, the steps to use Custom OMA-URI functionality to apply the Code Integrity policy are: - In the Intune portal, navigate to Device configuration, then Profiles, then create a profile with Custom OMA-URI Settings and add a row. - OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy - Data type: Base64