Add auto image borders and/or lightboxes to aid legibility

This commit is contained in:
Gary Moore
2024-09-25 12:48:06 -07:00
parent c974690ed2
commit dc0eda847a
11 changed files with 30 additions and 35 deletions

View File

@ -25,8 +25,8 @@ To familiarize yourself with creating App Control rules from audit events, follo
2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding App Control events](../operations/event-id-explanations.md).
**Figure 1. Exceptions to the deployed App Control policy**
![Event showing exception to App Control policy.](../images/dg-fig23-exceptionstocode.png)
**Figure 1. Exceptions to the deployed App Control policy**<br>
:::image type="content" alt-text="Event showing exception to App Control policy." source="../images/dg-fig23-exceptionstocode.png":::
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create an App Control policy for fully managed devices](../design/create-appcontrol-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.

View File

@ -75,7 +75,7 @@ Now that the template is available to be issued, you must request one from the c
4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
![Request Certificates: more information required.](../images/dg-fig31-getmoreinfo.png)
:::image type="content" alt-text="Request Certificates: more information required." source="../images/dg-fig31-getmoreinfo.png":::
Figure 4. Get more information for your code signing certificate

View File

@ -50,7 +50,7 @@ To deploy and manage an App Control for Business policy with Group Policy:
> [!NOTE]
> This policy file does not need to be copied to every computer. You can instead copy the App Control policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
![Group Policy called Deploy App Control for Business.](../images/dg-fig26-enablecode.png)
:::image type="content" alt-text="Group Policy called Deploy App Control for Business." source="../images/dg-fig26-enablecode.png":::
> [!NOTE]
> You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different App Control policies to different sets of devices, you may want to give each of your App Control policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.

View File

@ -28,49 +28,49 @@ Configuration Manager doesn't remove policies once deployed. To stop enforcement
1. Select **Asset and Compliance** > **Endpoint Protection** > **App Control for Business** > **Create Application Control Policy**
![Create an App Control policy in Configuration Manager.](../images/memcm/memcm-create-appcontrol-policy.jpg)
:::image type="content" alt-text="Create an App Control policy in Configuration Manager." source="../images/memcm/memcm-create-appcontrol-policy.jpg":::
2. Enter the name of the policy > **Next**
3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes**
4. Select the mode that you want the policy to run (Enforcement enabled / Audit Only)
5. Select **Next**
![Create an enforced App Control policy in Configuration Manager.](../images/memcm/memcm-create-appcontrol-policy-2.jpg)
:::image type="content" alt-text="Create an enforced App Control policy in Configuration Manager." source="../images/memcm/memcm-create-appcontrol-policy-2.jpg":::
6. Select **Add** to begin creating rules for trusted software
![Create an App Control path rule in Configuration Manager.](../images/memcm/memcm-create-appcontrol-rule.jpg)
:::image type="content" alt-text="Create an App Control path rule in Configuration Manager." source="../images/memcm/memcm-create-appcontrol-rule.jpg":::
7. Select **File** or **Folder** to create a path rule > **Browse**
![Select a file or folder to create a path rule.](../images/memcm/memcm-create-appcontrol-rule-2.jpg)
:::image type="content" alt-text="Select a file or folder to create a path rule." source="../images/memcm/memcm-create-appcontrol-rule-2.jpg":::
8. Select the executable or folder for your path rule > **OK**
![Select the executable file or folder.](../images/memcm/memcm-create-appcontrol-rule-3.jpg)
:::image type="content" alt-text="Select the executable file or folder." source="../images/memcm/memcm-create-appcontrol-rule-3.jpg":::
9. Select **OK** to add the rule to the table of trusted files or folder
10. Select **Next** to navigate to the summary page > **Close**
![Confirm the App Control path rule in Configuration Manager.](../images/memcm/memcm-confirm-appcontrol-rule.jpg)
:::image type="content" alt-text="Confirm the App Control path rule in Configuration Manager." source="../images/memcm/memcm-confirm-appcontrol-rule.jpg":::
### Deploy the App Control policy in Configuration Manager
1. Right-click the newly created policy > **Deploy Application Control Policy**
![Deploy App Control via Configuration Manager.](../images/memcm/memcm-deploy-appcontrol.jpg)
:::image type="content" alt-text="Deploy App Control via Configuration Manager." source="../images/memcm/memcm-deploy-appcontrol.jpg":::
2. Select **Browse**
![Select Browse.](../images/memcm/memcm-deploy-appcontrol-2.jpg)
:::image type="content" alt-text="Select Browse." source="../images/memcm/memcm-deploy-appcontrol-2.jpg":::
3. Select the Device Collection you created earlier > **OK**
![Select the device collection.](../images/memcm/memcm-deploy-appcontrol-3.jpg)
:::image type="content" alt-text="Select the device collection." source="../images/memcm/memcm-deploy-appcontrol-3.jpg":::
4. Change the schedule > **OK**
![Change the App Control deployment schedule.](../images/memcm/memcm-deploy-appcontrol-4.jpg)
:::image type="content" alt-text="Change the App Control deployment schedule." source="../images/memcm/memcm-deploy-appcontrol-4.jpg":::
For more information on using Configuration Manager's native App Control policies, see [App Control for Business management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).

View File

@ -108,7 +108,7 @@ For the code signing certificate that you use to sign the catalog file, import i
3. Verify the catalog file's digital signature. Right-click the catalog file, and then select **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
![Digital Signature list in file Properties.](../images/dg-fig12-verifysigning.png)
:::image type="content" alt-text="Digital Signature list in file Properties." source="../images/dg-fig12-verifysigning.png":::
Figure 1. Verify that the signing certificate exists.
@ -131,7 +131,7 @@ The following process walks you through the deployment of a signed catalog file
> [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining App Control policies.
![Group Policy Management, create a GPO.](../images/dg-fig13-createnewgpo.png)
:::image type="content" alt-text="Group Policy Management, create a GPO." source="../images/dg-fig13-createnewgpo.png":::
Figure 2. Create a new GPO.
@ -141,7 +141,7 @@ The following process walks you through the deployment of a signed catalog file
5. Within the selected GPO, navigate to **Computer Configuration\\Preferences\\Windows Settings\\Files**. Right-click **Files**, point to **New**, and then select **File**, as shown in Figure 3.
![Group Policy Management Editor, New File.](../images/dg-fig14-createnewfile.png)
:::image type="content" alt-text="Group Policy Management Editor, New File." source="../images/dg-fig14-createnewfile.png":::
Figure 3. Create a new file.