diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index af1e30dca2..ab40f94622 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -47,18 +47,18 @@ The general steps for expanding the S mode base policy on your Intune-managed de Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy. Below are a basic set of instructions for creating an S mode supplemental policy: - - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps) + - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true) ```powershell New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level Publisher -Fallback Hash ``` - - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps) + - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true) ```powershell Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "\SupplementalPolicy.xml" ``` Policies which are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this is the S mode policy ID. - - Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps) + - Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps&preserve-view=true) ```powershell Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete @@ -69,7 +69,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de ```powershell Add-SignerRule -FilePath -CertificatePath -User -Update ``` - - Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) + - Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps&preserve-view=true) ```powershell ConvertFrom-CIPolicy -XmlFilePath "\SupplementalPolicy.xml" -BinaryFilePath "\SupplementalPolicy.bin> @@ -86,7 +86,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these expand the S mode base policy on the device. > [!Note] -> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number. +> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number. ## Standard Process for Deploying Apps through Intune ![Deploying Apps through Intune](images/wdac-intune-app-deployment.png) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 76eb273ded..70e5a3a31d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -1,6 +1,6 @@ --- title: Configure authorized apps deployed with a WDAC-managed installer (Windows) -description: Explains how to configure a custom Manged Installer. +description: Explains about how to configure a custom Manged Installer. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -77,7 +77,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the changes that are needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. -1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability. +1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability. ```powershell Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index 14ac17e575..a6fe5ce62e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -44,7 +44,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. -1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability. +1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability. ```powershell Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 3870af3447..0037968837 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -1,6 +1,6 @@ --- title: Create a WDAC policy for fully managed devices (Windows) -description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in system core. keywords: security, malware ms.topic: conceptual ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb