Merge pull request #1505 from MicrosoftDocs/FromPrivateRepo

From private repo
2025-05-13 22:07:22 +00:00 · 2018-08-21 10:35:47 -07:00 · 2018-08-21 10:35:47 -07:00 · db76705df7
commit db76705df7
parent c105de54e0 78e212a7ef
5 changed files with 597 additions and 377 deletions
--- a/windows/application-management/msix-app-packaging-tool.md
+++ b/windows/application-management/msix-app-packaging-tool.md
@ -23,15 +23,11 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft
 - A valid MSA alias (to access the app from the Store) 
 ## What's new
-v1.2018.808.0
+v1.2018.820.0
- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu.
+- Command Line Support
- Fixed an issue where signing in with password protected certificates would fail in the tool.
+- Ability to use existing local virtual machines for packaging environment.
- Fixed an issue where the tool was crashing when editing an existing MSIX package.
+- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues.
- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures.
+- Minor updates to the UI for added clarity.
 - Minor UI tweaks to add clarity.
 - Minor updates to the logs for added clarity.
 ## Installing the MSIX Packaging Tool
@ -45,11 +41,139 @@ This is an early preview build and not all features are supported. Here is what
 - Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon.
 - Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**. 
 ## Creating an application package using the Command line interface
 To create a new MSIX package for your application, run the MsixPackagingTool.exe create-package command in a Command prompt window. 
 Here are the parameters that can be passed as command line arguments:
 |Parameter   |Description  |
 |---------|---------|
 |-? <br> --help     |   Show help information      |
 |--virtualMachinePassword     |    [optional] The password for the Virtual Machine to be used for the conversion environment. Notes: The template file must contain a VirtualMachine element and the Settings::AllowPromptForPassword attribute must not be set to true.     |
 Examples:
 - MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml
 - MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml  --virtualMachinePassword 
 ## Conversion template file
 ```xml
      <MsixPackagingToolTemplate
       xmlns="http://schemas.microsoft.com/appx/msixpackagingtool/template/2018">
       <Settings
           AllowTelemetry="true"
           ApplyAllPrepareComputerFixes="true"
           GenerateCommandLineFile="true"
           AllowPromptForPassword="false" >
           <ExclusionItems>
               <FileExclusion ExcludePath="[{Cookies}]" />
               <FileExclusion ExcludePath="[{History}]" />
               <FileExclusion ExcludePath="[{Cache}]" />
               <FileExclusion ExcludePath="[{Personal}]" />
               <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography" />
               <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography" />
               <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" />            
           </ExclusionItems>
       </Settings>
       <PrepareComputer
           DisableDefragService="true"
           DisableWindowsSearchService="true"
           DisableSmsHostService="true"
           DisableWindowsUpdateService ="true"/>
       <!--Note: this section takes precedence over the Settings::ApplyAllPrepareComputerFixes attribute -->
       <SaveLocation Path="C:\users\user\Desktop" />
       <Installer
           Path="C:\MyAppInstaller.msi"
           Arguments="/quiet"
           InstallLocation="C:\Program Files\MyAppInstallationLocation" />
       <VirtualMachine Name="vmname" Username="myusername" />
       <PackageInformation
           PackageName="MyAppPackageNAme"
           PackageDisplayName="MyApp Display Name"
           PublisherName="CN=MyPublisher"
           PublisherDisplayName="MyPublisher Display Name"
           Version="1.1.0.0"
           MainPackageNameForModificationPackage="MainPackageIdentityName">
           <Applications>
               <Application
                   Id="App1"
                   Description="MyApp"
                   DisplayName="My App"
                   ExecutableName="MyApp.exe"/>
           <!-- You can specify multiple application parameters for different executables in your package -->
           </Applications>
           <Capabilities>
           </Capabilities>
       </PackageInformation>
   </MsixPackagingToolTemplate>
 ```
 ## Conversion template parameter reference
 Here is the complete list of parameters that you can use in the Conversion template file.
 |ConversionSettings entries  |Description  |
 |---------|---------|
 |Settings:: AllowTelemetry     |[optional] Enables telemetry logging for this invocation of the tool.       |
 |Settings:: ApplyAllPrepareComputerFixes     |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used.         |
 |Settings:: GenerateCommandLineFile     |[optional] Copies the template file input to the SaveLocation directory for future use.         |
 |Settings:: AllowPromptForPassword     |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified.         |
 |ExclusionItems     |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements.         |
 |ExclusionItems::FileExclusion     |[optional] A file to exclude for packaging.         |
 |ExclusionItems::FileExclusion::ExcludePath     |Path to file to exclude for packaging.         |
 |ExclusionItems::RegistryExclusion     |[optional] A registry key to exclude for packaging.          |
 |ExclusionItems::RegistryExclusion:: ExcludePath     |Path to registry to exclude for packaging.         |
 |PrepareComputer::DisableDefragService     |[optional] Disables Windows Defragmenter while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |PrepareComputer:: DisableWindowsSearchService     |[optional] Disables Windows Search while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |PrepareComputer:: DisableSmsHostService     |[optional] Disables SMS Host while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |PrepareComputer:: DisableWindowsUpdateService     |[optional] Disables Windows Update while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |SaveLocation     |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder.         |
 |SaveLocation::Path     |The path to the folder where the resulting MSIX package is saved.         |
 |Installer::Path     |The path to the application installer.         |
 |Installer::Arguments     |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently.         |
 |Installer::InstallLocation     |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation").         |
 |VirtualMachine     |[optional] An element to specify that the conversion will be run on a local Virtual Machine.         |
 |VrtualMachine::Name     |The name of the Virtual Machine to be used for the conversion environment.         |
 |VirtualMachine::Username     |[optional] The user name for the Virtual Machine to be used for the conversion environment.         |
 |PackageInformation::PackageName     |The Package Name for your MSIX package.         |
 |PackageInformation::PackageDisplayName     |The Package Display Name for your MSIX package.         |
 |PackageInformation::PublisherName     |The Publisher for your MSIX package.         |
 |PackageInformation::PublisherDisplayName     |The Publisher Display Name for your MSIX package.         |
 |PackageInformation::Version     |The version number for your MSIX package.         |
 |PackageInformation:: MainPackageNameForModificationPackage     |[optional] The Package identity name of the main package name. This is used when creating a modification package that takes a dependency on a main (parent) application.         |
 |Applications     |[optional] 0 or more Application elements to configure the Application entries in your MSIX package.         |
 |Application::Id     |The App ID for your MSIX application. This ID will be used for the Application entry detected that matches the specified ExecutableName. You can have multiple Application ID for executables in the package         |
 |Application::ExecutableName     |The executable name for the MSIX application that will be added to the package manifest. The corresponding application entry will be ignored if no application with this name is detected.         |
 |Application::Description     |[optional] The App Description for your MSIX application. If not used, the Application DisplayName will be used. This description will be used for the application entry detected that matches the specified ExecutableName         |
 |Application::DisplayName     |The App Display Name for your MSIX package. This Display Name will be used for the application entry detected that matches the specified ExecutableName         |
 |Capabilities     |[optional] 0 or more Capability elements to add custom capabilities to your MSIX package. “runFullTrust” capability is added by default during conversion.         |
 |Capability::Name     |The capability to add to your MSIX package.          |
 ## Delete temporary conversion files using Command line interface
 To delete all the temporary package files, logs, and artifacts created by the tool, run the MsixPackagingTool.exe cleanup command in the Command line window.
 Example:
 - MsixPackagingTool.exe cleanup 
 ## Unsupported features
 Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features: 
 - Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0). 
 - Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM. 
 - Command Line Interface support  
 - Conversion of App-V 4.x packages 
 ## How to file feedback
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -2060,6 +2060,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize" id="kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
  </dd>
  <dd>
    <a href="./policy-csp-kerberos.md#kerberos-upnnamehints" id="kerberos-upnnamehints">Kerberos/UPNNameHints</a>
  </dd>
 </dl>
 ### KioskBrowser policies
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@ -6,11 +6,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 03/12/2018
+ms.date: 08/08/2018
 ---
 # Policy CSP - Kerberos
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 <hr/>
@ -34,6 +36,9 @@ ms.date: 03/12/2018
  <dd>
    <a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
  </dd>
  <dd>
    <a href="#kerberos-upnnamehints">Kerberos/UPNNameHints</a>
  </dd>
 </dl>
@ -353,6 +358,60 @@ ADMX Info:
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="kerberos-upnnamehints"></a>**Kerberos/UPNNameHints**  
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal.
 Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
 <!--/Description-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 Footnote:
@ -361,6 +420,7 @@ Footnote:
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
 -   5 - Added in the next major release of Windows 10.
 <!--/Policies-->
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@ -21,6 +21,7 @@
 ### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
 ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
 ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
 ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
 ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
 #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
 #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@ -0,0 +1,32 @@
 ---
 title: Windows Defender Application Control and .NET Hardening (Windows 10)
 description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime.
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: morganbr
 ms.date: 08/20/2018
 ---
 # Windows Defender Application Control and .NET hardening 
 Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those approved by an organization. 
 Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. 
 Beginning with Windows 10, version 1803, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. 
 When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources. 
 Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. 
 Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries. 
 Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled. 
 Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. 
 To enable Dynamic Code Security, add the following option to the <Rules> section of your policy: 
 ```xml
 <Rule> 
    <Option>Enabled:Dynamic Code Security</Option> 
 </Rule>
 ```