deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-29 17:23:44 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-03-03 16:37:06 -05:00
parent c5e08455ce
commit bf8427b9d6
3 changed files with 16 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
education/windows/tutorial-managed-installer/create-policies.md
View File

@ -27,27 +27,20 @@ The following table details the two policy types to allow apps to run:
WDAC supplemental policies can be created and then deployed through Intune. WDAC supplemental policies can be created and then deployed through Intune.
Follow the instructions below for authoring and deploying these policies. To allow apps to install and run, you must write supplemental policies targeting the correct base policy. The base policy that you need to target has a PolicyID of `{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}`.
To allow apps to install and run by effectively overriding the Windows 11 SE E-Mode policy, supplemental policies you write must target the correct base policy. The base policy that you need to target has a PolicyID of `{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}`. ### Write a supplemental policy
- Policy creation: [Policy creation for common WDAC usage scenarios (Windows) - Windows security | Microsoft Docs][WIN-1]
- Supplemental Policy creation: [Creating a new Supplemental Policy with the Wizard][WIN-2]
- [WDAC Policy Wizard][EXT-1]
### Writing a supplemental policy
To write a policy, you can use [audit events][WIN-3], as they allow you to observe the actions that would be blocked by Windows 11 SE. From the audit events, you can create a policy to allow those actions. To write a policy, you can use [audit events][WIN-3], as they allow you to observe the actions that would be blocked by Windows 11 SE. From the audit events, you can create a policy to allow those actions.
1. On a **non-Windows SE** device, apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml based on Windows 11 SE E mode* that you can use: 1. On a **non-Windows SE** device, apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml* which is based on the **Windows 11 SE E-mode** policy:
- Open the **WDAC Wizard** and select **Policy Editor** - Open the **WDAC Wizard** and select **Policy Editor**
- In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC* and select the file called WinSEPolicy.xml. Select **Next** - In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next**
:::image type="content" source="images/wdac-winsepolicy.png" alt-text="This is a placeholder."::: :::image type="content" source="images/wdac-winsepolicy.png" alt-text="WDAC wizard - creation of a policy targeting the base WinSEPolicy.xml policy":::
- Toggle the option for **Audit Mode** and complete the Wizard. - Toggle the option for **Audit Mode** and complete the Wizard. Note the location of the .cip and .xml files shown on the final page of the wizard
- Note the location of the .cip and .xml files shown on the final page of the wizard.
- From an elevated PowerShell session, run the following command to activate the policy: - From an elevated PowerShell session, run the following command to activate the policy:
``` ```cmd
Citool.exe -up <Path to the .cip file> citool.exe -up \<\*Path to the .cip file\*\>
``` ```
1. With the *Base audit mode policy* for Windows 11 SE in place: 1. With the *Base audit mode policy* for Windows 11 SE in place:
- Download and run the app install for your app - Download and run the app install for your app
@ -64,13 +57,13 @@ To write a policy, you can use [audit events][WIN-3], as they allow you to obser
1. Convert the policy created in the previous step to a supplemental policy, specifying the E mode audit policy you created in the first step as its *Base*. 1. Convert the policy created in the previous step to a supplemental policy, specifying the E mode audit policy you created in the first step as its *Base*.
```PowerShell ```PowerShell
Set-CiPolicyIdInfo -FilePath <"Path to.xml file from previous step"> -BasePolicyToSupplementPath <"Path to the E mode .xml created in the first step"> Set-CiPolicyIdInfo -FilePath \<Path to.xml file from previous step\> -BasePolicyToSupplementPath \<Path to the E mode .xml created in the first step\>
``` ```
1. From an elevated PowerShell session, run the following command to activate the policy: 1. From an elevated PowerShell session, run the following command to activate the policy:
``` ```cmd
citool.exe -up <"Path to the .cip file"> citool.exe -up \<Path to the .cip file\>
``` ```
1. Clear the two event logs: 1. Clear the two event logs:
@ -90,6 +83,11 @@ In the following video, Jeffrey Sutherland explains how to create a supplemental
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO] > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO]
For additional information:
- Policy creation: [Policy creation for common WDAC usage scenarios (Windows) - Windows security | Microsoft Docs][WIN-1]
- Supplemental Policy creation: [Creating a new Supplemental Policy with the Wizard][WIN-2]
- [WDAC Policy Wizard][EXT-1]
### Writing a supplemental policy for a UWP LOB app ### Writing a supplemental policy for a UWP LOB app

BIN
education/windows/tutorial-managed-installer/images/store-app-new.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 45 KiB

BIN
education/windows/tutorial-managed-installer/images/wdac-winsepolicy.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 230 KiB

After

Width:  |  Height:  |  Size: 304 KiB