diff --git a/education/windows/tutorial-managed-installer/create-policies.md b/education/windows/tutorial-managed-installer/create-policies.md index a2a85769ae..e6450ad3f9 100644 --- a/education/windows/tutorial-managed-installer/create-policies.md +++ b/education/windows/tutorial-managed-installer/create-policies.md @@ -27,27 +27,20 @@ The following table details the two policy types to allow apps to run: WDAC supplemental policies can be created and then deployed through Intune. -Follow the instructions below for authoring and deploying these policies. +To allow apps to install and run, you must write supplemental policies targeting the correct base policy. The base policy that you need to target has a PolicyID of `{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}`. -To allow apps to install and run by effectively overriding the Windows 11 SE E-Mode policy, supplemental policies you write must target the correct base policy. The base policy that you need to target has a PolicyID of `{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}`. - -- Policy creation: [Policy creation for common WDAC usage scenarios (Windows) - Windows security | Microsoft Docs][WIN-1] -- Supplemental Policy creation: [Creating a new Supplemental Policy with the Wizard][WIN-2] -- [WDAC Policy Wizard][EXT-1] - -### Writing a supplemental policy +### Write a supplemental policy To write a policy, you can use [audit events][WIN-3], as they allow you to observe the actions that would be blocked by Windows 11 SE. From the audit events, you can create a policy to allow those actions. -1. On a **non-Windows SE** device, apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml based on Windows 11 SE E mode* that you can use: +1. On a **non-Windows SE** device, apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml* which is based on the **Windows 11 SE E-mode** policy: - Open the **WDAC Wizard** and select **Policy Editor** - - In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC* and select the file called WinSEPolicy.xml. Select **Next** - :::image type="content" source="images/wdac-winsepolicy.png" alt-text="This is a placeholder."::: - - Toggle the option for **Audit Mode** and complete the Wizard. - - Note the location of the .cip and .xml files shown on the final page of the wizard. + - In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next** + :::image type="content" source="images/wdac-winsepolicy.png" alt-text="WDAC wizard - creation of a policy targeting the base WinSEPolicy.xml policy"::: + - Toggle the option for **Audit Mode** and complete the Wizard. Note the location of the .cip and .xml files shown on the final page of the wizard - From an elevated PowerShell session, run the following command to activate the policy: - ``` - Citool.exe -up + ```cmd + citool.exe -up \<\*Path to the .cip file\*\> ``` 1. With the *Base audit mode policy* for Windows 11 SE in place: - Download and run the app install for your app @@ -64,13 +57,13 @@ To write a policy, you can use [audit events][WIN-3], as they allow you to obser 1. Convert the policy created in the previous step to a supplemental policy, specifying the E mode audit policy you created in the first step as its *Base*. ```PowerShell - Set-CiPolicyIdInfo -FilePath <"Path to.xml file from previous step"> -BasePolicyToSupplementPath <"Path to the E mode .xml created in the first step"> + Set-CiPolicyIdInfo -FilePath \ -BasePolicyToSupplementPath \ ``` 1. From an elevated PowerShell session, run the following command to activate the policy: - ``` - citool.exe -up <"Path to the .cip file"> + ```cmd + citool.exe -up \ ``` 1. Clear the two event logs: @@ -90,6 +83,11 @@ In the following video, Jeffrey Sutherland explains how to create a supplemental > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO] +For additional information: + +- Policy creation: [Policy creation for common WDAC usage scenarios (Windows) - Windows security | Microsoft Docs][WIN-1] +- Supplemental Policy creation: [Creating a new Supplemental Policy with the Wizard][WIN-2] +- [WDAC Policy Wizard][EXT-1] ### Writing a supplemental policy for a UWP LOB app diff --git a/education/windows/tutorial-managed-installer/images/store-app-new.png b/education/windows/tutorial-managed-installer/images/store-app-new.png deleted file mode 100644 index d6be685f2c..0000000000 Binary files a/education/windows/tutorial-managed-installer/images/store-app-new.png and /dev/null differ diff --git a/education/windows/tutorial-managed-installer/images/wdac-winsepolicy.png b/education/windows/tutorial-managed-installer/images/wdac-winsepolicy.png index 2e6c740b12..0b59e2c5bb 100644 Binary files a/education/windows/tutorial-managed-installer/images/wdac-winsepolicy.png and b/education/windows/tutorial-managed-installer/images/wdac-winsepolicy.png differ