From e679f238d0df8c58dd65e7d02669eba1a7e05ffe Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 21 Sep 2021 17:13:15 -0700 Subject: [PATCH 01/14] Update configure-authorized-apps-deployed-with-a-managed-installer.md --- ...-apps-deployed-with-a-managed-installer.md | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 70e5a3a31d..cd3668f905 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -1,6 +1,6 @@ --- -title: Configure authorized apps deployed with a WDAC-managed installer (Windows) -description: Explains about how to configure a custom Manged Installer. +title: Allow apps deployed with a WDAC managed installer (Windows) +description: Explains how to configure a custom Managed Installer. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -11,33 +11,31 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 08/10/2021 +ms.date: 09/22/2021 ms.technology: mde --- -# Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control +# Automatically allow apps deployed by a managed installer with Windows Defender Application Control **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2019 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). - -Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. +With Windows Defender Application Control (WDAC), you can automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, using a feature called _managed installer_. Managed installer can help you balance security and manageability when enforcing application control policies. ## How does a managed installer work? -A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these trusted binaries runs, Windows will monitor the binary's process (and processes it launches), and then tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM. +Managed installer uses a special rule collection in AppLocker to designate binaries that are trusted by your organization as an authorized source for application deployment. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they are tagged as originating from a managed installer. The managed installer rule collection must be added to your AppLocker policy XML using an XML or text editor, such as Notepad. You can import and deploy your managed installer AppLocker policy XML with Group Policy or apply it using the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM. -Having defined your managed installers by using AppLocker, you can then configure WDAC to trust files that are installed by a managed installer. You do so by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin. +After setting your managed installer rules in AppLocker, you can then configure WDAC to trust files that are installed by a managed installer. You do so by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based purely on its managed installer origin. -Ensure that the WDAC policy allows the system/boot components and any other authorized applications that can't be deployed through a managed installer. +> [!NOTE] +> Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer. ## Security considerations with managed installer From e04620bd926c53ef6ed84fb2728a00ae36bd0a14 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 22 Sep 2021 17:09:30 -0700 Subject: [PATCH 02/14] Update configure-authorized-apps-deployed-with-a-managed-installer.md --- ...-apps-deployed-with-a-managed-installer.md | 51 ++++++++++--------- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index cd3668f905..1282f52575 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -26,13 +26,13 @@ ms.technology: mde - Windows 11 - Windows Server 2019 and above -With Windows Defender Application Control (WDAC), you can automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, using a feature called _managed installer_. Managed installer can help you balance security and manageability when enforcing application control policies. +With Windows Defender Application Control (WDAC), you can automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, using a feature called _managed installer_. Managed installer can help you better balance security and manageability when enforcing application control policies. ## How does a managed installer work? -Managed installer uses a special rule collection in AppLocker to designate binaries that are trusted by your organization as an authorized source for application deployment. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they are tagged as originating from a managed installer. The managed installer rule collection must be added to your AppLocker policy XML using an XML or text editor, such as Notepad. You can import and deploy your managed installer AppLocker policy XML with Group Policy or apply it using the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM. +Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they are tagged as originating from a managed installer. -After setting your managed installer rules in AppLocker, you can then configure WDAC to trust files that are installed by a managed installer. You do so by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based purely on its managed installer origin. +You can then configure WDAC to trust files that are installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules for the binary, WDAC will allow it to run based purely on its managed installer origin. > [!NOTE] > Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer. @@ -46,7 +46,7 @@ Users with administrator privileges, or malware running as an administrator user If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. -Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. Extension of the installer's authorization could result in unintentional authorization of an executable. To avoid that outcome, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. +Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. ## Known limitations with managed installer @@ -58,40 +58,37 @@ Some application installers may automatically run the application at the end of - The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run. -## Configuring the managed installer +## Configure managed installer tracking with AppLocker and WDAC -Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy, with specific rules and options enabled. -There are three primary steps to keep in mind: +To turn on managed installer tracking, you must: -- Specify managed installers, by using the Managed Installer rule collection in AppLocker policy. -- Enable service enforcement in AppLocker policy. -- Enable the managed installer option in a WDAC policy. +- Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs. +- Enable AppLocker's Application Identity and AppLockerFltr services. +- Enable managed installer trust in your WDAC policy. -## Specify managed installers using the Managed Installer rule collection in AppLocker policy +### Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs -The identity of the managed installer executable(s) is specified in an AppLocker policy, in a Managed Installer rule collection. +Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection. +> [!NOTE] +> Only EXE file types can be designated as managed installers. -### Create Managed Installer rule collection - -Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the changes that are needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. - -1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability. +1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. This example creates a rule for Microsoft's Intune Management Extension using the Publisher rule type, but any AppLocker rule type can be used. You may need to reformat the output for readability. ```powershell - Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml + Get-ChildItem ${env:ProgramFiles(x86)}'\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher -User Everyone -Xml > AppLocker_MI_PS_ISE.xml ``` -2. Manually rename the rule collection to ManagedInstaller +2. Manually change the rule collection Type from "Exe" to "ManagedInstaller" and set EnforcementMode to "AuditOnly" Change - ```powershell + ```XML ``` to - ```powershell + ```XML ``` @@ -175,6 +172,7 @@ An example of a valid Managed Installer rule collection, using Microsoft Endpoin ``` + ### Enable service enforcement in AppLocker policy Since many installation processes rely on services, it is typically necessary to enable tracking of services. @@ -251,9 +249,11 @@ appidtel.exe start [-mionly] Specify "-mionly" if you will not use the Intelligent Security Graph (ISG). ## Using fsutil to query SmartLocker EA + Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events. -#### Example: +**Example:** + ```powershell fsutil file queryEA C:\Users\Temp\Downloads\application.exe @@ -281,6 +281,7 @@ Refer to [Understanding Application Control Events](event-id-explanations.md#opt Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. 1. Use the following command to deploy the policy. + ```powershell $policyFile= @" @@ -290,6 +291,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w ``` 2. Verify Deployment of the ruleset was successful + ```powershell Get-AppLockerPolicy -Local @@ -297,10 +299,13 @@ Once you've completed configuring your chosen Managed Installer, by specifying w ------- --------------- ------------------- 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} ``` + Verify the output shows the ManagedInstaller rule set. 3. Get the policy XML (optional) using PowerShell: + ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue ``` - This command will show the raw XML to verify the individual rules that were set. \ No newline at end of file + + This command will show the raw XML to verify the individual rules that were set. From 92b73669c922e558250999ffc2502b1683f64e64 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 23 Sep 2021 16:23:06 -0700 Subject: [PATCH 03/14] Update configure-authorized-apps-deployed-with-a-managed-installer.md --- ...-apps-deployed-with-a-managed-installer.md | 92 +++++++++---------- 1 file changed, 42 insertions(+), 50 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 1282f52575..2fac9952d2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -34,9 +34,6 @@ Managed installer uses a special rule collection in **AppLocker** to designate b You can then configure WDAC to trust files that are installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules for the binary, WDAC will allow it to run based purely on its managed installer origin. -> [!NOTE] -> Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer. - ## Security considerations with managed installer Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. @@ -92,7 +89,39 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. +3. Manually edit your AppLocker policy and add the EXE and DLL rule collections with at least one rule for each. To ensure your policy can be safely applied on systems that may already have an active AppLocker policy, we recommend using a benign DENY rule to block a fake binary and set the rule collection's EnforcementMode to AuditOnly. Additionally, since many installation processes rely on services, you need to enable services tracking for each of those rule collections. The following example shows a partial AppLocker policy with the EXE and DLL rule collection configured as recommended. + + ```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` + +4. Deploy your AppLocker managed installer configuration policy. You can either import your AppLocker policy and deploy with Group Policy or use a script to deploy the policy with the Set-AppLockerPolicy cmdlet. An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. ```xml @@ -173,46 +202,18 @@ An example of a valid Managed Installer rule collection, using Microsoft Endpoin ``` -### Enable service enforcement in AppLocker policy +## Set the AppLocker filter driver to autostart -Since many installation processes rely on services, it is typically necessary to enable tracking of services. -Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit-only rule will suffice. The audit rule can be added to the policy created above, which specifies the rule collection of your managed installer. +To enable the managed installer, you need to set the AppLocker filter driver to autostart, and start it. -For example: +To do so, run the following command as an Administrator: -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +```console +appidtel.exe start [-mionly] ``` +Specify "-mionly" if you will not use the Intelligent Security Graph (ISG). + ## Enable the managed installer option in WDAC policy In order to enable trust for the binaries laid down by managed installers, the "Enabled: Managed Installer" option must be specified in your WDAC policy. @@ -236,17 +237,8 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables Set-RuleOption -FilePath -Option 13 ``` -## Set the AppLocker filter driver to autostart - -To enable the managed installer, you need to set the AppLocker filter driver to autostart, and start it. - -To do so, run the following command as an Administrator: - -```console -appidtel.exe start [-mionly] -``` - -Specify "-mionly" if you will not use the Intelligent Security Graph (ISG). +> [!NOTE] +> Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer. ## Using fsutil to query SmartLocker EA From 5461c8aa37e152e9f1cd491a832362bc80fbb7b3 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 28 Sep 2021 17:19:54 -0700 Subject: [PATCH 04/14] Refactored managed installer docs --- ...-apps-deployed-with-a-managed-installer.md | 219 ++++++------------ .../configure-wdac-managed-installer.md | 187 +++++---------- 2 files changed, 124 insertions(+), 282 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 2fac9952d2..4e8d47ed2c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -61,7 +61,6 @@ To turn on managed installer tracking, you must: - Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs. - Enable AppLocker's Application Identity and AppLockerFltr services. -- Enable managed installer trust in your WDAC policy. ### Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs @@ -93,7 +92,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ```xml - + @@ -105,7 +104,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS - + @@ -114,105 +113,77 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS - - - ``` -4. Deploy your AppLocker managed installer configuration policy. You can either import your AppLocker policy and deploy with Group Policy or use a script to deploy the policy with the Set-AppLockerPolicy cmdlet. An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. +4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Microsoft Endpoint Config Manager (MEMCM)and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place. -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - -``` + + + + + + + + + + + + + + + + + + ``` -## Set the AppLocker filter driver to autostart +5. Deploy your AppLocker managed installer configuration policy. You can either import your AppLocker policy and deploy with Group Policy or use a script to deploy the policy with the Set-AppLockerPolicy cmdlet as shown in the following PowerShell command. -To enable the managed installer, you need to set the AppLocker filter driver to autostart, and start it. + ```powershell + Set-AppLockerPolicy -XmlPolicy -Merge -ErrorAction SilentlyContinue + ``` -To do so, run the following command as an Administrator: +6. If deploying your AppLocker policy via script, use appidtel.exe to configure the AppLocker Application Identity service and AppLocker filter driver. -```console -appidtel.exe start [-mionly] -``` - -Specify "-mionly" if you will not use the Intelligent Security Graph (ISG). + ```console + appidtel.exe start [-mionly] + ``` + + Specify "-mionly" if you don't plan to use the Intelligent Security Graph (ISG). ## Enable the managed installer option in WDAC policy @@ -237,67 +208,11 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables Set-RuleOption -FilePath -Option 13 ``` +4. Deploy your WDAC policy. See [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md). + > [!NOTE] > Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer. -## Using fsutil to query SmartLocker EA +## Related articles -Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events. - -**Example:** - -```powershell -fsutil file queryEA C:\Users\Temp\Downloads\application.exe - -Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe: - -Ea Buffer Offset: 410 -Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM -Ea Value Length: 7e -0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................ -0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. * -0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\...... -0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:. -0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T. -0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n... -0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l. -0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e -``` - -## Enabling managed installer logging events - -Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. - -## Deploying the Managed Installer rule collection - -Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. - -1. Use the following command to deploy the policy. - - ```powershell - $policyFile= - @" - Raw_AppLocker_Policy_XML - "@ - Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue - ``` - -2. Verify Deployment of the ruleset was successful - - ```powershell - Get-AppLockerPolicy -Local - - Version RuleCollections RuleCollectionTypes - ------- --------------- ------------------- - 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} - ``` - - Verify the output shows the ManagedInstaller rule set. - -3. Get the policy XML (optional) using PowerShell: - - ```powershell - Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue - ``` - - This command will show the raw XML to verify the individual rules that were set. +- [Managed installer and ISG technical reference and troubleshooting guide](configure-wdac-managed-installer.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index a6fe5ce62e..de7ad4786a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -1,5 +1,5 @@ --- -title: Configure a WDAC managed installer (Windows) +title: Managed installer and ISG technical reference and troubleshooting guide (Windows) description: Explains how to configure a custom Manged Installer. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -18,148 +18,75 @@ ms.date: 08/14/2020 ms.technology: mde --- -# Configuring a managed installer with AppLocker and Windows Defender Application Control +# Managed installer and ISG technical reference and troubleshooting guide **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2019 and above >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). -Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled. -There are three primary steps to keep in mind: +## Using fsutil to query SmartLocker EA -- Specify managed installers by using the Managed Installer rule collection in AppLocker policy. -- Enable service enforcement in AppLocker policy. -- Enable the managed installer option in a WDAC policy. +Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events. -## Specify managed installers using the Managed Installer rule collection in AppLocker policy +**Example:** -The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection. +```powershell +fsutil file queryEA C:\Users\Temp\Downloads\application.exe -### Create Managed Installer rule collection +Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe: -Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. - -1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability. - - ```powershell - Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml - ``` - -2. Manually rename the rule collection to ManagedInstaller - - Change - - ```powershell - - ``` - - to - - ```powershell - - ``` - -An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below. - -```xml - - - - - - - - - - - - - - - - +Ea Buffer Offset: 410 +Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM +Ea Value Length: 7e +0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................ +0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. * +0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\...... +0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:. +0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T. +0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n... +0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l. +0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e ``` -### Enable service enforcement in AppLocker policy - -Since many installation processes rely on services, it is typically necessary to enable tracking of services. -Correct tracking of services requires the presence of at least one rule in the rule collection, so a simple audit only rule will suffice. This can be added to the policy created above which specifies your managed installer rule collection. - -For example: - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Enable the managed installer option in WDAC policy - -In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy. -This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13. - -Below are steps to create a WDAC policy that allows Windows to boot and enables the managed installer option. - -1. Copy the DefaultWindows_Audit policy into your working folder from C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml - -2. Reset the policy ID to ensure it is in multiple policy format and give it a different GUID from the example policies. Also give it a friendly name to help with identification. - - Ex. - - ```powershell - Set-CIPolicyIdInfo -FilePath -PolicyName "" -ResetPolicyID - ``` - -3. Set Option 13 (Enabled:Managed Installer) - - ```powershell - Set-RuleOption -FilePath -Option 13 - ``` - -## Set the AppLocker filter driver to autostart - -To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it. - -To do so, run the following command as an Administrator: - -```console -appidtel.exe start [-mionly] -``` - -Specify `-mionly` if you will not use the Intelligent Security Graph (ISG). - ## Enabling managed installer logging events -Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. \ No newline at end of file +Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. + +## Deploying the Managed Installer rule collection + +Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. + +1. Use the following command to deploy the policy. + + ```powershell + $policyFile= + @" + Raw_AppLocker_Policy_XML + "@ + Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue + ``` + +2. Verify Deployment of the ruleset was successful + + ```powershell + Get-AppLockerPolicy -Local + + Version RuleCollections RuleCollectionTypes + ------- --------------- ------------------- + 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} + ``` + + Verify the output shows the ManagedInstaller rule set. + +3. Get the policy XML (optional) using PowerShell: + + ```powershell + Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue + ``` + + This command will show the raw XML to verify the individual rules that were set. From 33822bc890ba663ab1852b4aef16472559765138 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 30 Sep 2021 08:38:16 -0700 Subject: [PATCH 05/14] Update configure-authorized-apps-deployed-with-a-managed-installer.md --- ...figure-authorized-apps-deployed-with-a-managed-installer.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 4e8d47ed2c..3b9a4829da 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -26,6 +26,9 @@ ms.technology: mde - Windows 11 - Windows Server 2019 and above +>[!NOTE] +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). + With Windows Defender Application Control (WDAC), you can automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, using a feature called _managed installer_. Managed installer can help you better balance security and manageability when enforcing application control policies. ## How does a managed installer work? From 08c9b1d56f576046464b459080a6fb2b8db6d87c Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Mon, 25 Oct 2021 10:14:49 -0700 Subject: [PATCH 06/14] Fixed feature name --- .../windows-defender-application-control/TOC.yml | 2 ++ ...gistration-in-windows-defender-application-control-policy.md | 2 +- ...and-enforce-windows-defender-application-control-policies.md | 2 +- .../audit-windows-defender-application-control-policies.md | 2 +- .../configure-wdac-managed-installer.md | 2 +- .../deployment/deploy-wdac-policies-with-memcm.md | 2 +- .../deployment/deploy-wdac-policies-with-script.md | 2 +- .../operations/known-issues.md | 2 +- 8 files changed, 9 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 2a9d13497a..33b376df95 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -105,6 +105,8 @@ href: querying-application-control-events-centrally-using-advanced-hunting.md - name: Known Issues href: operations/known-issues.md + - name: Managed installer and ISG technical reference and troubleshooting guide + href: configure-wdac-managed-installer.md - name: AppLocker href: applocker\applocker-overview.md items: diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index 5d98c29cbb..b49ba3d525 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -26,7 +26,7 @@ ms.technology: mde - Windows Server 2016 and later > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index 671bd29bf1..aaa75e5b5e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 706f2e6d6a..c06c8cf8ea 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index de7ad4786a..3ce71b5b5e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2019 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). ## Using fsutil to query SmartLocker EA diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 3dcca008bc..f07be90a23 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC) on client machines. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 2212ae92fb..f3993cbff8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 3cd76bde2b..3f8896beaa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -26,7 +26,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic covers tips and tricks for admins as well as known issues with WDAC. Test this configuration in your lab before enabling it in production. From 55ebd9f8442ea23a70acfd32d0c3ebae7d557cd3 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 26 Oct 2021 09:21:21 -0700 Subject: [PATCH 07/14] Update configure-authorized-apps-deployed-with-a-managed-installer.md --- ...figure-authorized-apps-deployed-with-a-managed-installer.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 3b9a4829da..fd636e4b7e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -188,6 +188,9 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS Specify "-mionly" if you don't plan to use the Intelligent Security Graph (ISG). +> [!NOTE] +> Managed installer tracking will start the next time a process runs that matches your managed installer rules. If an intended process is already running, you must restart it. + ## Enable the managed installer option in WDAC policy In order to enable trust for the binaries laid down by managed installers, the "Enabled: Managed Installer" option must be specified in your WDAC policy. From e02da38c0dc725bd7bffa74001875cb7515d1050 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Thu, 28 Oct 2021 18:35:44 -0400 Subject: [PATCH 08/14] removing 10 mobile references --- ...d-unsigned-app-to-code-integrity-policy.md | 5 ++-- ...management-microsoft-store-for-business.md | 13 +++++---- .../apps-in-microsoft-store-for-business.md | 1 - .../assign-apps-to-employees.md | 1 - ...m-provider-microsoft-store-for-business.md | 4 +-- .../device-guard-signing-portal.md | 3 +-- ...distribute-apps-from-your-private-store.md | 1 - ...-employees-microsoft-store-for-business.md | 1 - .../distribute-apps-with-management-tool.md | 1 - store-for-business/distribute-offline-apps.md | 1 - .../find-and-acquire-apps-overview.md | 1 - store-for-business/index.md | 1 - .../manage-access-to-private-store.md | 4 +-- ...s-microsoft-store-for-business-overview.md | 1 - .../manage-private-store-settings.md | 1 - ...e-settings-microsoft-store-for-business.md | 1 - ...and-groups-microsoft-store-for-business.md | 1 - .../microsoft-store-for-business-overview.md | 11 ++++---- .../notifications-microsoft-store-business.md | 1 - ...requisites-microsoft-store-for-business.md | 1 - ...ermissions-microsoft-store-for-business.md | 27 +++++++++---------- ...egrity-policy-with-device-guard-signing.md | 1 - ...p-microsoft-store-for-business-overview.md | 1 - ...oubleshoot-microsoft-store-for-business.md | 4 +-- .../working-with-line-of-business-apps.md | 1 - 25 files changed, 33 insertions(+), 55 deletions(-) diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index c176253d0a..8ab3f71620 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -24,7 +24,7 @@ ms.date: 07/21/2021 > We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > > Following are the major changes we are making to the service: -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download at [https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/). > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). > - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > @@ -38,10 +38,9 @@ ms.date: 07/21/2021 > For any questions, please contact us at DGSSMigration@microsoft.com. -**Applies to** +**Applies to**: - Windows 10 -- Windows 10 Mobile When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md index 18893e3bf3..3eb99b3802 100644 --- a/store-for-business/app-inventory-management-microsoft-store-for-business.md +++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md @@ -19,7 +19,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). @@ -64,12 +63,12 @@ Each app in the Store for Business has an online, or an offline license. For mor | Action | Online-licensed app | Offline-licensed app | | ------ | ------------------- | -------------------- | -| Assign to employees | X | | -| Add to private store | X | | -| Remove from private store | X | | -| View license details | X | | -| View product details | X | X | -| Download for offline use | | X | +| Assign to employees | ✔️ | | +| Add to private store | ✔️ | | +| Remove from private store | ✔️ | | +| View license details | ✔️ | | +| View product details | ✔️ | ✔️ | +| Download for offline use | | ✔️ | The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md index 67c1ece453..4e4499a673 100644 --- a/store-for-business/apps-in-microsoft-store-for-business.md +++ b/store-for-business/apps-in-microsoft-store-for-business.md @@ -21,7 +21,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md index 20eb4e01bc..a718684e7e 100644 --- a/store-for-business/assign-apps-to-employees.md +++ b/store-for-business/assign-apps-to-employees.md @@ -21,7 +21,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md index 92d67673bf..d58b7a705a 100644 --- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md +++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md @@ -17,9 +17,9 @@ ms.date: 07/21/2021 # Configure an MDM provider -**Applies to** +**Applies to**: + - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 3c5210990f..572a7c1267 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -17,10 +17,9 @@ ms.date: 07/21/2021 # Device Guard signing -**Applies to** +**Applies to**: - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index d5dac5ad49..c0ccce55a6 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -20,7 +20,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md index 6dc4592fc8..723648db24 100644 --- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md +++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md @@ -21,7 +21,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md index b864a22c4c..3e744d9281 100644 --- a/store-for-business/distribute-apps-with-management-tool.md +++ b/store-for-business/distribute-apps-with-management-tool.md @@ -21,7 +21,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 2ccb2ee579..5ee0219d23 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -21,7 +21,6 @@ ms.date: 07/21/2021 **Applies to:** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md index a4e3654b6c..9a624bd3c0 100644 --- a/store-for-business/find-and-acquire-apps-overview.md +++ b/store-for-business/find-and-acquire-apps-overview.md @@ -21,7 +21,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/index.md b/store-for-business/index.md index 14421101db..83186f8f8b 100644 --- a/store-for-business/index.md +++ b/store-for-business/index.md @@ -19,7 +19,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md index 1b28372459..35b33daedd 100644 --- a/store-for-business/manage-access-to-private-store.md +++ b/store-for-business/manage-access-to-private-store.md @@ -20,7 +20,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). @@ -40,9 +39,9 @@ Organizations can use either an MDM policy, or Group Policy to show only their p Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports Microsoft Store for Business, the MDM can use the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](/windows/client-management/mdm/policy-configuration-service-provider#ApplicationManagement_RequirePrivateStoreOnly) policy. **ApplicationManagement/RequirePrivateStoreOnly** policy is supported on the following Windows 10 editions: + - Enterprise - Education -- Mobile For more information on configuring an MDM provider, see [Configure an MDM provider](./configure-mdm-provider-microsoft-store-for-business.md). @@ -51,6 +50,7 @@ For more information on configuring an MDM provider, see [Configure an MDM provi If you're using Microsoft Store and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. **Only display the private store within Microsoft Store app** group policy is supported on the following Windows 10 editions: + - Enterprise - Education diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md index 475618f84f..bc995342eb 100644 --- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md +++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md @@ -20,7 +20,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index 13ac789510..5ec635a24d 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -20,7 +20,6 @@ ms.localizationpriority: medium **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md index f74be6f5f0..f271481d73 100644 --- a/store-for-business/manage-settings-microsoft-store-for-business.md +++ b/store-for-business/manage-settings-microsoft-store-for-business.md @@ -20,7 +20,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md index e89839c992..a417157bc2 100644 --- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md +++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md @@ -21,7 +21,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index 07e2aca4db..b3eed6f968 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -4,7 +4,7 @@ description: With Microsoft Store for Business and Microsoft Store for Education ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C ms.reviewer: ms.prod: w10 -ms.pagetype: store, mobile +ms.pagetype: store ms.mktglfcycl: manage ms.sitesec: library ms.author: cmcatee @@ -20,7 +20,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). @@ -92,10 +91,10 @@ After your admin signs up for the Store for Business and Education, they can ass | Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing | | ---------- | ---------------- | ------------ | --------------- | -------------------- | -| Admin | X | X | X | | -| Purchaser | | X | X | | -| Device Guard signer | | | | X | -| Basic purchaser | | X | X | | +| Admin | ✔️ | ✔️ | ✔️ | | +| Purchaser | | ✔️ | ✔️ | | +| Device Guard signer | | | | ✔️ | +| Basic purchaser | | ✔️ | ✔️ | | > [!NOTE] > Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see [Microsoft Store for Education permissions](/education/windows/education-scenarios-store-for-business?toc=%2fmicrosoft-store%2feducation%2ftoc.json#manage-domain-settings). diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index 9b485fe9c5..dd8d1a7d29 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -22,7 +22,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index dad7913c94..187abb5bb8 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -20,7 +20,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 12d87d243f..360f9490aa 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -21,7 +21,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). @@ -37,13 +36,13 @@ Microsoft Store for Business and Education has a set of roles that help admins a This table lists the global user accounts and the permissions they have in Microsoft Store. -| | **Global Administrator** | **Billing Administrator** | +|   | **Global Administrator** | **Billing Administrator** | | ------------------------------ | --------------------- | --------------------- | -| **Sign up for Microsoft Store for Business and Education** | X | X | -| **Modify company profile settings** | X | X | -| **Purchase apps** | X | X | -| **Distribute apps** | X | X | -| **Purchase subscription-based software** | X | X | +| **Sign up for Microsoft Store for Business and Education** | ✔️ | ✔️ | +| **Modify company profile settings** | ✔️ | ✔️ | +| **Purchase apps** | ✔️ | ✔️ | +| **Distribute apps** | ✔️ | ✔️ | +| **Purchase subscription-based software** | ✔️ | ✔️ | - **Global Administrator** and **Billing Administrator** - IT Pros with these accounts have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. @@ -53,14 +52,14 @@ Microsoft Store for Business has a set of roles that help IT admins and employee This table lists the roles and their permissions. -| | **Admin** | **Purchaser** | **Device Guard signer** | +|   | **Admin** | **Purchaser** | **Device Guard signer** | | ------------------------------ | ------ | -------- | ------------------- | -| **Assign roles** | X | | | -| **Manage Microsoft Store for Business and Education settings** | X | | | -| **Acquire apps** | X | X | | -| **Distribute apps** | X | X | | -| **Sign policies and catalogs** | X | | | -| **Sign Device Guard changes** | X | | X | +| **Assign roles** | ✔️ | | | +| **Manage Microsoft Store for Business and Education settings** | ✔️ | | | +| **Acquire apps** | ✔️ | ✔️ | | +| **Distribute apps** | ✔️ | ✔️ | | +| **Sign policies and catalogs** | ✔️ | | | +| **Sign Device Guard changes** | ✔️ | | ✔️ | These permissions allow people to: diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index 2cc38be25b..d7f05fb986 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -42,7 +42,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md index 33925566bf..c51e8f7899 100644 --- a/store-for-business/sign-up-microsoft-store-for-business-overview.md +++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md @@ -20,7 +20,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index 0a66d2a739..f54b676866 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -20,7 +20,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). @@ -29,6 +28,7 @@ Troubleshooting topics for Microsoft Store for Business. ## Can't find apps in private store The private store for your organization is a page in Microsoft Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company. If you can't see your private store, there are a couple of things to check: + - **No apps in the private store** - The private store page is only available in Microsoft Store on Windows 10 if there are apps added to your private store. You won't see your private store page with no apps listed on it. If your Microsoft Store for Business admin has added an app to the private store, and the private store page is still not available, they can check the private store status for the app on **Product & services - Apps**. If the status under **Private store** is **Add in progress**, wait and check back. - **Signed in with the wrong account** - If you have multiple accounts that you use in your organization, you might be signed in with the wrong account. Or, you might not be signed in. Use this procedure to sign in with your organization account. @@ -64,5 +64,5 @@ If you are still having trouble using Microsoft Store or installing an app, Admi **To view Support page**  -1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com). 2.Choose **Manage**> **Support**. diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index 8efc8effad..42eda0b990 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -20,7 +20,6 @@ ms.date: 07/21/2021 **Applies to** - Windows 10 -- Windows 10 Mobile > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). From e1ce16ffa9b4302a8e9a98e8ba8a3e3d33b0b9f1 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Thu, 28 Oct 2021 18:44:40 -0400 Subject: [PATCH 09/14] review updates --- .../add-unsigned-app-to-code-integrity-policy.md | 2 +- .../configure-mdm-provider-microsoft-store-for-business.md | 2 +- store-for-business/device-guard-signing-portal.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index 8ab3f71620..d96d350d9d 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -38,7 +38,7 @@ ms.date: 07/21/2021 > For any questions, please contact us at DGSSMigration@microsoft.com. -**Applies to**: +**Applies to** - Windows 10 diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md index d58b7a705a..9baef1a798 100644 --- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md +++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md @@ -17,7 +17,7 @@ ms.date: 07/21/2021 # Configure an MDM provider -**Applies to**: +**Applies to** - Windows 10 diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 572a7c1267..dbccbf3bae 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -17,7 +17,7 @@ ms.date: 07/21/2021 # Device Guard signing -**Applies to**: +**Applies to** - Windows 10 @@ -132,7 +132,7 @@ Device Guard is a feature set that consists of both hardware and software system **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. **Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy -signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration. +signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration. - Usage: From 78f098b418a4c0334481f6eed62b3bdc195058ec Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Oct 2021 16:41:21 -0700 Subject: [PATCH 10/14] Revise Markdown to elicit a "data matrix" table What's a "data matrix" table on docs.microsoft.com? https://review.docs.microsoft.com/en-us/help/contribute/markdown-reference?branch=main#data-matrix-tables --- .../roles-and-permissions-microsoft-store-for-business.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 360f9490aa..d04d9e5277 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -36,7 +36,7 @@ Microsoft Store for Business and Education has a set of roles that help admins a This table lists the global user accounts and the permissions they have in Microsoft Store. -|   | **Global Administrator** | **Billing Administrator** | +|| Global Administrator | Billing Administrator | | ------------------------------ | --------------------- | --------------------- | | **Sign up for Microsoft Store for Business and Education** | ✔️ | ✔️ | | **Modify company profile settings** | ✔️ | ✔️ | @@ -52,7 +52,7 @@ Microsoft Store for Business has a set of roles that help IT admins and employee This table lists the roles and their permissions. -|   | **Admin** | **Purchaser** | **Device Guard signer** | +|| Admin | Purchaser | Device Guard signer | | ------------------------------ | ------ | -------- | ------------------- | | **Assign roles** | ✔️ | | | | **Manage Microsoft Store for Business and Education settings** | ✔️ | | | From 708f150e365f961fff5c240f2e1d107190cf6b43 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Oct 2021 17:27:07 -0700 Subject: [PATCH 11/14] Correct indentation of code block --- ...ows-defender-application-control-policy.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index de76aa7245..9e1b49b4c8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -104,16 +104,16 @@ Example 3: Allows a specific COM object to register in PowerShell Here's an example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**): -Log Name: Microsoft-Windows-AppLocker/MSI and Script
-Source: Microsoft-Windows-AppLocker
-Date: 11/11/2020 1:18:11 PM
-Event ID: 8036
-Task Category: None
-Level: Error
-Keywords:
-User: S-1-5-21-3340858017-3068726007-3466559902-3647
-Computer: contoso.com
-Description: {f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
+> Log Name: Microsoft-Windows-AppLocker/MSI and Script
+> Source: Microsoft-Windows-AppLocker
+> Date: 11/11/2020 1:18:11 PM
+> Event ID: 8036
+> Task Category: None
+> Level: Error
+> Keywords:
+> User: S-1-5-21-3340858017-3068726007-3466559902-3647
+> Computer: contoso.com
+> Description: {f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy. Event XML: @@ -155,10 +155,10 @@ To add this CLSID to the existing policy, follow these steps: Once the command has been run, you will find that the following section is added to the policy XML. ```XML - - - - true - - + + + + true + + ``` From 351ff77bb8821d4f9a669f27b15ba17975fddb26 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Oct 2021 17:28:10 -0700 Subject: [PATCH 12/14] Added missing period --- .../deployment/deploy-wdac-policies-with-memcm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 7f99abbe58..1ac9e541d2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -41,7 +41,7 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10 Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. -For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) +For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). ## Deploy custom WDAC policies using Packages/Programs or Task Sequences From c20d41c2d07a8cfb0457cf60e4678076c912de44 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Oct 2021 17:30:58 -0700 Subject: [PATCH 13/14] Corrected indentation of code block in a list item --- .../deployment/deploy-wdac-policies-with-script.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index c118114f74..36243edbf3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -61,13 +61,15 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: -```powershell -mountvol J: /S -J: -mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active -``` -2. Copy the signed policy binary as `{PolicyGUID}.cip` to J:\EFI\Microsoft\Boot\CiPolicies\Active + ```powershell + mountvol J: /S + J: + mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active + ``` + +2. Copy the signed policy binary as `{PolicyGUID}.cip` to `J:\EFI\Microsoft\Boot\CiPolicies\Active`. + 3. Reboot the system. ## Script-based deployment process for Windows 10 versions earlier than 1903 From 806813def8ef9df9fc5292e604f286cad182a371 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Oct 2021 17:32:42 -0700 Subject: [PATCH 14/14] Replace slugs on code blocks with valid types --- .../operations/known-issues.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 8b89dc8ae3..a54661c0b2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -40,12 +40,12 @@ In some cases, the code integrity logs where WDAC errors and warnings are writte Installing .msi files directly from the internet to a computer protected by WDAC will fail. For example, this command will not work: -```code +```console msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi ``` As a workaround, download the MSI file and run it locally: -```code +```console msiexec –i c:\temp\Windows10_Version_1511_ADMX.msi ```