diff --git a/windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md b/windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md index c9842bdb33..60b8c97f46 100644 --- a/windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md @@ -37,11 +37,53 @@ To allow Win32 apps to run on a Windows 10 device in S mode, admins must ‘unlo - Admin submits the signed catalog to Intune - Intune applies the signed catalog to unlocked S mode device using Sidecar -## [Admin] Setting up Business Store to use DGSS +## Setting up Business Store to use DGSS 1. In the Azure portal, create a new resource of type Azure Active Directory, then create an associated global admin user. -2. Log in to the Microsoft Store for Business as the global admin then go to Organization > Private Store and accept -• This will automatically generate a root certificate for the organization -3. To download a root cert or upload policies/catalogs to sign, navigate to Manage > Settings > Devices -• Note: you can only upload .bin and .cat files -[Admin] Creating and Signing a Supplemental Policy +2. Log in to the Microsoft Store for Business as the global admin then go to **Organization** > **Private Store** and accept. + This will automatically generate a root certificate for the organization. +3. To download a root cert or upload policies/catalogs to sign, navigate to **Manage** > **Settings** > **Devices**. + Note: you can only upload .bin and .cat files. + +## Creating and Signing a Supplemental Policy + +1. Create new base policy using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) + ```powershell + New-CIPolicy -Level PcaCertificate -UserPEs -ScanPath -MultiplePolicyFormat 3> -FilePath + ``` +2. Change it to a supplemental policy using [Set-CIPolicyIdInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo?view=win10-ps) + ```powershell + Set-CIPolicyIdInfo -BasePolicyToSupplementPath -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath + ``` + Note: ‘5951A96A-E0B5-4D3D-8FB8-3E5B61030784' is the S-mode Base Policy ID. +3. Put policy in enforce mode using [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) + ```powershell + Set-RuleOption -FilePath -Option 3 –Delete + ``` + This deletes the ‘audit mode’ qualifier. +4. Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) + ```powershell + ConvertFrom-CIPolicy -XmlFilePath -BinaryFilePath + ``` + Note: PolicyID can be found by inspecting the Supplemental Policy XML. Convert to .bin to sign with DGSS (recommended) or .cip to sign locally. +5. To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**. + To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md) + +## Creating and Signing an App Catalog +An admin must generate an app catalog for every deployed app: +1. Use Package Inspector to [create a catalog](https://docs.microsoft.com/microsoft-store/add-unsigned-app-to-code-integrity-policy#a-href-idcreate-catalog-filesacreate-catalog-files-for-your-unsigned-app) + - Start Package Inspector to scan the installer: + ```console + PackageInspector.exe start C: -path + ``` + - Open app installer + - Stop Package Inspector: + ```console + PackageInspector.exe stop C: -Name -cdfpath + ``` +2. To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**. + To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md) + +## User experience + +Users will either have apps pushed directly to their devices by their admins, or they can download apps that their admins have made available through Company Portal