mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 21:03:42 +00:00
Suggestion fixes
This commit is contained in:
Alekhya Jupudi
@ -47,18 +47,18 @@ The general steps for expanding the S mode base policy on your Intune-managed de
|
||||
Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy.
|
||||
|
||||
Below are a basic set of instructions for creating an S mode supplemental policy:
|
||||
- Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps)
|
||||
- Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true)
|
||||
|
||||
```powershell
|
||||
New-CIPolicy -MultiplePolicyFormat -ScanPath <path> -UserPEs -FilePath "<path>\SupplementalPolicy.xml" -Level Publisher -Fallback Hash
|
||||
```
|
||||
- Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps)
|
||||
- Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true)
|
||||
|
||||
```powershell
|
||||
Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "<path>\SupplementalPolicy.xml"
|
||||
```
|
||||
Policies which are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this is the S mode policy ID.
|
||||
- Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps)
|
||||
- Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps&preserve-view=true)
|
||||
|
||||
```powershell
|
||||
Set-RuleOption -FilePath "<path>\SupplementalPolicy.xml>" -Option 3 –Delete
|
||||
@ -69,7 +69,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
|
||||
```powershell
|
||||
Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User -Update
|
||||
```
|
||||
- Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
|
||||
- Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps&preserve-view=true)
|
||||
|
||||
```powershell
|
||||
ConvertFrom-CIPolicy -XmlFilePath "<path>\SupplementalPolicy.xml" -BinaryFilePath "<path>\SupplementalPolicy.bin>
|
||||
@ -86,7 +86,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
|
||||
Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these expand the S mode base policy on the device.
|
||||
|
||||
> [!Note]
|
||||
> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number.
|
||||
> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number.
|
||||
|
||||
## Standard Process for Deploying Apps through Intune
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Configure authorized apps deployed with a WDAC-managed installer (Windows)
|
||||
description: Explains how to configure a custom Manged Installer.
|
||||
description: Explains about how to configure a custom Manged Installer.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
ms.prod: m365-security
|
||||
@ -77,7 +77,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker
|
||||
|
||||
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the changes that are needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
|
||||
|
||||
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
|
||||
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
|
||||
|
||||
```powershell
|
||||
Get-ChildItem <exe filepath> | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
|
||||
|
||||
@ -44,7 +44,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker
|
||||
|
||||
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
|
||||
|
||||
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
|
||||
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
|
||||
|
||||
```powershell
|
||||
Get-ChildItem <exe filepath> | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Create a WDAC policy for fully managed devices (Windows)
|
||||
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
|
||||
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in system core.
|
||||
keywords: security, malware
|
||||
ms.topic: conceptual
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
|
||||
Reference in New Issue
Block a user