deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update deploy-multiple-windows-defender-application-control-policies.md

Browse Source
This commit is contained in:
brbrahm 2019-05-16 13:47:58 -07:00 committed by GitHub
parent df1a051291
commit a8272559d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
View File

@ -26,9 +26,10 @@ The restriction of only having a single code integrity policy active on a system
- To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
2. Multiple Base Policies
- Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent
- If two base policies exist on a device, an application has to be allowed by both to run
3. Supplemental Policies
- Users can deploy one or more supplemental policies to expand a base policy
- If two base policies exist on a device, an application has to be allowed by both to run
- A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy
- For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run
## How do Base and Supplemental Policies Interact?
@ -38,68 +39,39 @@ The restriction of only having a single code integrity policy active on a system
- Base + supplemental policy: union
- Files that are allowed by the base policy or the supplemental policy are not blocked
## PowerShell parameters
## Creating Multiple Base or Supplemental Policies
New-CIPolicy
- MultiplePolicyFormat: allows for multiple policies
Note that multiple policies will not work on pre-1903 systems.
### Allow Multiple Policies
In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in New-CIPolicy results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base.
```powershell
New-CIPolicy [-FilePath] <string> -Level {None | Hash | FileName | SignedVersion | Publisher | FilePublisher | LeafCertificate | PcaCertificate | RootCertificate | WHQL | WHQLPublisher | WHQLFilePublisher | PFN | FilePath}
[-DriverFiles <DriverFile[]>] [-Fallback {None | Hash | FileName | SignedVersion | Publisher | FilePublisher | LeafCertificate | PcaCertificate | RootCertificate | WHQL | WHQLPublisher | WHQLFilePublisher | PFN | FilePath}]
[-Audit] [-ScanPath <string>] [-ScriptFileNames] [-AllowFileNameFallbacks] [-SpecificFileNameLevel {None | OriginalFileName | InternalName | FileDescription | ProductName | PackageFamilyName | FilePath}] [-UserPEs] [-NoScript]
[-Deny] [-NoShadowCopy] [-MultiplePolicyFormat] [-OmitPaths <string[]>] [-PathToCatroot <string>] [<CommonParameters>] to generate new policy format(base policy and policy type and policy guid)
New-CIPolicy -MultiplePolicyFormat -foo bar
```
Set-CIPolicyIdInfo
- **SupplementsBasePolicyID**: guid of new supplemental policy
- **BasePolicyToSupplementPath**: base policy that the supplemental policy applies to
- **ResetPolicyID**: reset the policy guids back to a random guid
Optionally, you can choose to make the new base policy supplementable (allow supplemental policies).
```powershell
Set-RuleOption -FilePath <string> Enabled:Allow Supplemental Policies
```
For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers.
```powershell
Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [<CommonParameters>]
```
### Supplemental Policy Creation
In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands.
- "SupplementsBasePolicyID": guid of new supplemental policy
- "BasePolicyToSupplementPath": base policy that the supplemental policy applies to
```powershell
Set-CIPolicyIdInfo [-FilePath] <string> [-PolicyName <string>] [-SupplementsBasePolicyID <guid>] [-BasePolicyToSupplementPath <string>] [-ResetPolicyID] [-PolicyId <string>] [<CommonParameters>]
```
Add-SignerRule
- **Supplemental**: provides supplemental signers
Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy guids back to a random guid.
```powershell
Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [<CommonParameters>]
```
### Merging policies
Set-RuleOption
- **Enabled:Allow Supplemental Policies**: makes base policy able to be supplemented
### Examples
**Scenario #1: Creating a new base policy**
```powershell
New-CiPolicy -MulitplePolicyFormat -foo bar
```
- **MultiplePolicyFormat** switch results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base.
Can optionally choose to make it supplementable:
- Set-RuleOption has a new option **Enabled:Allow Supplemental Policies** to set for base policy
- For signed policies that are being made supplementable, need to ensure that supplemental signers are defined. Use “Add-SignerRule” to provide supplemental signers.
```powershell
Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [<CommonParameters>]
```
**Scenario #2: Creating a new supplemental policy**
1. Scan using `New-CiPolicy MuliplePolicyFormat` to generate a base policy:
```powershell
New-CIPolicy -Level PcaCertificate -UserPEs -ScanPath <path> -MultiplePolicyFormat 3> <path\CIPolicyLog.txt> -FilePath <path\SupplementalPolicy.xml>
```
2. Change this new base policy to a supplemental policy
- Provide path of base in `Set-CIPolicyIdInfo BasePolicytoSupplementPath`
- Provide GUID of base in `Set-CIPolicyIdInfo SupplementsBasePolicyID`
```powershell
Set-CIPolicyIdInfo -BasePolicyToSupplementPath <path\SupplementalPolicy.xml> -SupplementsBasePolicyID <BasePolicyID> -FilePath <path\SupplementalPolicy.xml>
```
- Can revert the policy back to being a base policy using `-ResetPolicyID`
**Scenario #3: Merging policies**
- When merging, the policy type and ID of the leftmost/first policy specified is used
- If the leftmost is a base policy with ID <ID>, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID <ID>
When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID <ID>, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID <ID>.