deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 07:47:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #5095 from jsuther1974/master

Browse Source 
Update merge and enforce topics to address issues and inaccuracies.
This commit is contained in:
Diana Hanson 2021-04-26 09:21:41 -06:00 committed by GitHub
commit b15787dfbf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 147 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
View File

@ -1,69 +1,113 @@
---
title: Enforce Windows Defender Application Control (WDAC) policies (Windows 10)
description: Learn how to test a Windows Defender Application Control (WDAC) policy in enforced mode by following these steps in an elevated Windows PowerShell session.
description: Learn how to switch a WDAC policy from audit to enforced mode.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
ms.date: 05/03/2018
ms.date: 04/22/2021
ms.technology: mde
ms.topic: article
ms.localizationpriority: medium
---
# Enforce Windows Defender Application Control policies
# Enforce Windows Defender Application Control (WDAC) policies
**Applies to:**
- Windows 10
- Windows Server 2016
- Windows Server 2016 and above
Every WDAC policy is created with audit mode enabled. After you have successfully deployed and tested a WDAC policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
You should now have one or more WDAC policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode.
> [!NOTE]
> Every WDAC policy should be tested in audit mode first. For information about how to audit WDAC policies, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md), earlier in this topic.
> Some of the steps described in this article only apply to Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features. Evaluate the impact for any features that may be unavailable on your clients running earlier versions of Windows 10 and Windows Server. You may need to adapt this guidance to meet your specific organization's needs.
1. Initialize the variables that will be used:
## Convert WDAC **base** policy from audit to enforced
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
`$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout.
`$EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"`
Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
`$CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
1. Initialize the variables that will be used and create the enforced policy by copying the audit version.
```powershell
$EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced"
$AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml"
$EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml"
cp $AuditPolicyXML $EnforcedPolicyXML
```
2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step.
```powershell
$EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID
$EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
```
> [!NOTE]
> The initial WDAC policy that this section refers to was created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are using a different WDAC policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
> If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the WDAC policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
To ensure that these options are enabled in a policy, use [Set-RuleOption](/powershell/module/configci/set-ruleoption) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect.
```powershell
Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9
Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10
```
`Set-RuleOption -FilePath $InitialCIPolicy -Option 9`
4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement:
`Set-RuleOption -FilePath $InitialCIPolicy -Option 10`
```powershell
Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete
```
3. Copy the initial file to maintain an original copy:
`copy $InitialCIPolicy $EnforcedCIPolicy`
4. Use Set-RuleOption to delete the audit mode rule option:
`Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary:
> [!NOTE]
> To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy.
> If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML.
5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary format:
```powershell
$EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml"
ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary
```
`ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin`
## Make copies of any needed **supplemental** policies to use with the enforced base policy
Now that this policy is in enforced mode, you can deploy it to your test computers. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). You can also use other client management software to deploy and manage the policy.
Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure.
1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used.
```powershell
$SupplementalPolicyName = "Lamna_Supplemental1"
$CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml"
$EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml"
```
2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement.
```powershell
$SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID
$SupplementalPolicyID = $SupplementalPolicyID.Substring(11)
```
> [!NOTE]
> If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary:
```powershell
$EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml"
ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary
```
4. Repeat the steps above if you have other supplemental policies to update.
## Deploy your enforced policy and supplemental policies
Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).

98
windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
View File

@ -1,58 +1,94 @@
---
title: Merge Windows Defender Application Control policies (Windows 10)
description: Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. Learn how with this guide.
title: Merge Windows Defender Application Control policies (WDAC) (Windows 10)
description: Learn how to merge WDAC policies as part of your policy lifecycle management.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
ms.date: 05/03/2018
ms.date: 04/22/2021
ms.technology: mde
ms.topic: article
ms.localizationpriority: medium
---
# Merge Windows Defender Application Control policies
# Merge Windows Defender Application Control (WDAC) policies
**Applies to:**
- Windows 10
- Windows Server 2016
- Windows Server 2016 and above
Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. For example, after a WDAC policy is created and audited, you might want to merge audit events from another WDAC policy.
This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases.
> [!NOTE]
> Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then a managed installer using Microsoft Endpoint Configuration Manager targeted the same device, the Configuration Manager policy would overwrite the SiPolicy.p7b file.
> Prior to Windows version 1903, including Windows Server 2019 and earlier, only one WDAC policy can be active on a system at a time. If you need to use WDAC on systems running these earlier versions of Windows, you must merge all policies before deploying.
To merge two WDAC policies, complete the following steps in an elevated Windows PowerShell session:
## Merge multiple WDAC policy XML files together
There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md), you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.
1. Initialize the variables that will be used:
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
`$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
`$AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
`$MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
`$CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
> [!NOTE]
> The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly.
```powershell
$PolicyName= "Lamna_FullyManagedClients_Audit"
$LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
$EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
$MergedPolicy=$env:userprofile+"\Desktop\"+$PolicyName+"_Merged.xml"
```
2. Use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy:
`Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
```powershell
Merge-CIPolicy -PolicyPaths $LamnaPolicy,$EventsPolicy -OutputFilePath $MergedPolicy
```
3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the merged WDAC policy to binary format:
> [!NOTE]
> You can merge additional policies with the Merge-CIPolicy step above by adding them to the -PolicyPaths parameter separated by commas. The new policy file specified by -OutputFilePath will have the Policy information from the first policy in the list. For example, in the above example, the $MergedPolicy will inherit the policy type, ID, name, and version information from $LamnaPolicy. To change any of those values, use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) and [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion).
`ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin`
## Merge WDAC rules directly into a policy XML
Now that you have created a new WDAC policy, you can deploy the policy binary to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
Besides merging multiple policy XML files, you can also merge rules created with the New-CIPolicyRule cmdlet directly into an existing WDAC policy XML file. Directly merging rules is a convenient way to update your policy without creating extra policy XML files. For example, to add rules that allow the WDAC Wizard and the WDAC RefreshPolicy.exe tool, follow these steps:
1. Install the [WDAC Wizard](wdac-wizard.md) packaged MSIX app.
2. Download the [Refresh Policy tool](https://aka.ms/refreshpolicy) for your processor architecture and save it to your desktop as RefreshPolicy.exe.
3. From a PowerShell session, run the following commands to create packaged app allow rules for the WDAC Wizard:
```powershell
$PackageInfo = Get-AppxPackage -Name Microsoft.WDAC.WDACWizard
$Rules = New-CIPolicyRule -Package $PackageInfo
```
4. Add FilePublisher rules for the RefreshPolicy.exe:
```powershell
$Rules += New-CIPolicyRule -DriverFilePath $env:USERPROFILE\Desktop\RefreshPolicy.exe -Level FilePublisher
```
5. Use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge the new rules directly into the MergedPolicy file created in the previous procedure's final step:
```powershell
Merge-CIPolicy -PolicyPaths $MergedPolicy -OutputFilePath $MergedPolicy -Rules $Rules
```
## Convert and deploy merged policy to managed endpoints
Now that you have your new, merged policy, you can convert and deploy the policy binary to your managed endpoints.
1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
```powershell
$WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
ConvertFrom-CIPolicy -XMLFilePath $MergedPolicy -BinaryFilePath $WDACPolicyBin
```
> [!NOTE]
> In the sample commands above, for policies targeting Windows 10 version 1903+, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name.
2. Upload your merged policy XML and the associated binary to the source control solution you are using for your WDAC policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
3. Deploy the merged policy using your preferred deployment solution. See [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md)