mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Add auto image borders and/or lightboxes to aid legibility
This commit is contained in:
Gary Moore
parent
c974690ed2
commit
dc0eda847a
@ -18,7 +18,7 @@ You can use the App Control for Business Wizard and the PowerShell commands to c
|
||||
|
||||
Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/appcontrol-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Configuring the policy base and template." source="../images/appid-appcontrol-wizard-1.png" lightbox="../images/appid-appcontrol-wizard-1.png":::
|
||||
|
||||
> [!NOTE]
|
||||
> If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
|
||||
|
||||
@ -25,8 +25,8 @@ To familiarize yourself with creating App Control rules from audit events, follo
|
||||
|
||||
2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding App Control events](../operations/event-id-explanations.md).
|
||||
|
||||
**Figure 1. Exceptions to the deployed App Control policy**
|
||||
|
||||
**Figure 1. Exceptions to the deployed App Control policy**<br>
|
||||
:::image type="content" alt-text="Event showing exception to App Control policy." source="../images/dg-fig23-exceptionstocode.png":::
|
||||
|
||||
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create an App Control policy for fully managed devices](../design/create-appcontrol-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
|
||||
|
||||
|
||||
@ -75,7 +75,7 @@ Now that the template is available to be issued, you must request one from the c
|
||||
|
||||
4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Request Certificates: more information required." source="../images/dg-fig31-getmoreinfo.png":::
|
||||
|
||||
Figure 4. Get more information for your code signing certificate
|
||||
|
||||
|
||||
@ -50,7 +50,7 @@ To deploy and manage an App Control for Business policy with Group Policy:
|
||||
> [!NOTE]
|
||||
> This policy file does not need to be copied to every computer. You can instead copy the App Control policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Group Policy called Deploy App Control for Business." source="../images/dg-fig26-enablecode.png":::
|
||||
|
||||
> [!NOTE]
|
||||
> You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different App Control policies to different sets of devices, you may want to give each of your App Control policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
|
||||
|
||||
@ -28,49 +28,49 @@ Configuration Manager doesn't remove policies once deployed. To stop enforcement
|
||||
|
||||
1. Select **Asset and Compliance** > **Endpoint Protection** > **App Control for Business** > **Create Application Control Policy**
|
||||
|
||||
|
||||
:::image type="content" alt-text="Create an App Control policy in Configuration Manager." source="../images/memcm/memcm-create-appcontrol-policy.jpg":::
|
||||
|
||||
2. Enter the name of the policy > **Next**
|
||||
3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes**
|
||||
4. Select the mode that you want the policy to run (Enforcement enabled / Audit Only)
|
||||
5. Select **Next**
|
||||
|
||||
|
||||
:::image type="content" alt-text="Create an enforced App Control policy in Configuration Manager." source="../images/memcm/memcm-create-appcontrol-policy-2.jpg":::
|
||||
|
||||
6. Select **Add** to begin creating rules for trusted software
|
||||
|
||||
|
||||
:::image type="content" alt-text="Create an App Control path rule in Configuration Manager." source="../images/memcm/memcm-create-appcontrol-rule.jpg":::
|
||||
|
||||
7. Select **File** or **Folder** to create a path rule > **Browse**
|
||||
|
||||
|
||||
:::image type="content" alt-text="Select a file or folder to create a path rule." source="../images/memcm/memcm-create-appcontrol-rule-2.jpg":::
|
||||
|
||||
8. Select the executable or folder for your path rule > **OK**
|
||||
|
||||
|
||||
:::image type="content" alt-text="Select the executable file or folder." source="../images/memcm/memcm-create-appcontrol-rule-3.jpg":::
|
||||
|
||||
9. Select **OK** to add the rule to the table of trusted files or folder
|
||||
10. Select **Next** to navigate to the summary page > **Close**
|
||||
|
||||
|
||||
:::image type="content" alt-text="Confirm the App Control path rule in Configuration Manager." source="../images/memcm/memcm-confirm-appcontrol-rule.jpg":::
|
||||
|
||||
### Deploy the App Control policy in Configuration Manager
|
||||
|
||||
1. Right-click the newly created policy > **Deploy Application Control Policy**
|
||||
|
||||
|
||||
:::image type="content" alt-text="Deploy App Control via Configuration Manager." source="../images/memcm/memcm-deploy-appcontrol.jpg":::
|
||||
|
||||
2. Select **Browse**
|
||||
|
||||
|
||||
:::image type="content" alt-text="Select Browse." source="../images/memcm/memcm-deploy-appcontrol-2.jpg":::
|
||||
|
||||
3. Select the Device Collection you created earlier > **OK**
|
||||
|
||||
|
||||
:::image type="content" alt-text="Select the device collection." source="../images/memcm/memcm-deploy-appcontrol-3.jpg":::
|
||||
|
||||
4. Change the schedule > **OK**
|
||||
|
||||
|
||||
:::image type="content" alt-text="Change the App Control deployment schedule." source="../images/memcm/memcm-deploy-appcontrol-4.jpg":::
|
||||
|
||||
For more information on using Configuration Manager's native App Control policies, see [App Control for Business management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
|
||||
|
||||
|
||||
@ -108,7 +108,7 @@ For the code signing certificate that you use to sign the catalog file, import i
|
||||
|
||||
3. Verify the catalog file's digital signature. Right-click the catalog file, and then select **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Digital Signature list in file Properties." source="../images/dg-fig12-verifysigning.png":::
|
||||
|
||||
Figure 1. Verify that the signing certificate exists.
|
||||
|
||||
@ -131,7 +131,7 @@ The following process walks you through the deployment of a signed catalog file
|
||||
> [!NOTE]
|
||||
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining App Control policies.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Group Policy Management, create a GPO." source="../images/dg-fig13-createnewgpo.png":::
|
||||
|
||||
Figure 2. Create a new GPO.
|
||||
|
||||
@ -141,7 +141,7 @@ The following process walks you through the deployment of a signed catalog file
|
||||
|
||||
5. Within the selected GPO, navigate to **Computer Configuration\\Preferences\\Windows Settings\\Files**. Right-click **Files**, point to **New**, and then select **File**, as shown in Figure 3.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Group Policy Management Editor, New File." source="../images/dg-fig14-createnewfile.png":::
|
||||
|
||||
Figure 3. Create a new file.
|
||||
|
||||
|
||||
@ -22,11 +22,11 @@ Once the Supplemental Policy type is chosen on the New Policy page, policy name
|
||||
|
||||
If the base policy isn't configured for supplemental policies, the Wizard attempts to convert the policy to one that can be supplemented. Once successful, the Wizard shows a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Wizard confirms modification of base policy." source="../images/appcontrol-wizard-confirm-base-policy-modification.png":::
|
||||
|
||||
Policies that can't be supplemented, for instance another supplemental policy, are detected by the Wizard and show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-appcontrol-policies.md).
|
||||
|
||||
|
||||
:::image type="content" alt-text="Wizard detects a bad base policy." source="../images/appcontrol-wizard-supplemental-not-base.png":::
|
||||
|
||||
## Configuring Policy Rules
|
||||
|
||||
@ -44,7 +44,7 @@ Supplemental policies can only configure three policy rules. The following table
|
||||
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. |
|
||||
| **Disable Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. |
|
||||
|
||||
|
||||
:::image type="content" alt-text="Rule options UI for Windows Allowed mode." source="../images/appcontrol-wizard-supplemental-policy-rule-options-UI.png":::
|
||||
|
||||
## Creating custom file rules
|
||||
|
||||
|
||||
@ -35,7 +35,7 @@ Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more
|
||||
|
||||
The App Control Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Removing file rule from policy during edit." source="../images/appcontrol-wizard-edit-remove-file-rule.png":::
|
||||
|
||||
**Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2.
|
||||
|
||||
|
||||
@ -17,4 +17,4 @@ Select the policies you wish to merge into one policy using the `+ Add Policy` b
|
||||
|
||||
Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Merging App Control policies into a final App Control policy." source="../images/appcontrol-wizard-merge.png":::
|
||||
|
||||
@ -26,8 +26,7 @@ To create rules from the App Control event logs on the system:
|
||||
|
||||
The Wizard parses the relevant audit and block events from the CodeIntegrity (App Control) Operational and AppLocker MSI and Script logs. You see a notification when the Wizard successfully finishes reading the events.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> [](../images/appcontrol-wizard-event-log-system-expanded.png)
|
||||
:::image type="content" alt-text="Parse App Control and AppLocker event log system events." source="../images/appcontrol-wizard-event-log-system.png" lightbox="../images/appcontrol-wizard-event-log-system.png":::
|
||||
|
||||
4. Select the Next button to view the audit and block events and create rules.
|
||||
5. [Generate rules from the events](#creating-policy-rules-from-the-events).
|
||||
@ -43,8 +42,7 @@ To create rules from the App Control `.EVTX` event logs files on the system:
|
||||
|
||||
The Wizard parses the relevant audit and block events from the selected log files. You see a notification when the Wizard successfully finishes reading the events.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> [](../images/appcontrol-wizard-event-log-files-expanded.png)
|
||||
:::image type="content" alt-text="Parse evtx file App Control events" source="../images/appcontrol-wizard-event-log-files.png" lightbox="../images/appcontrol-wizard-event-log-files.png":::
|
||||
|
||||
5. Select the Next button to view the audit and block events and create rules.
|
||||
6. [Generate rules from the events](#creating-policy-rules-from-the-events).
|
||||
@ -80,8 +78,7 @@ To create rules from the App Control events in [MDE Advanced Hunting](../operati
|
||||
|
||||
2. Export the App Control event results by selecting the **Export** button in the results view.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> [](../images/appcontrol-wizard-event-log-mde-ah-export-expanded.png)
|
||||
:::image type="content" alt-text="Export the MDE Advanced Hunting results to CSV" source="../images/appcontrol-wizard-event-log-mde-ah-export.png" lightbox="../images/appcontrol-wizard-event-log-mde-ah-export.png":::
|
||||
|
||||
3. Select **Policy Editor** from the main page.
|
||||
4. Select **Convert Event Log to an App Control Policy**.
|
||||
@ -90,8 +87,7 @@ To create rules from the App Control events in [MDE Advanced Hunting](../operati
|
||||
|
||||
The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You see a notification when the Wizard successfully finishes reading the events.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> [](../images/appcontrol-wizard-event-log-mde-ah-parsing-expanded.png)
|
||||
:::image type="content" alt-text="Parse the Advanced Hunting CSV App Control event files." source="../images/appcontrol-wizard-event-log-mde-ah-parsing.png" lightbox="../images/appcontrol-wizard-event-log-mde-ah-parsing.png":::
|
||||
|
||||
7. Select the Next button to view the audit and block events and create rules.
|
||||
8. [Generate rules from the events](#creating-policy-rules-from-the-events).
|
||||
@ -107,8 +103,7 @@ To create a rule and add it to the App Control policy:
|
||||
3. Select the attributes and fields that should be added to the policy rules using the checkboxes provided for the rule type.
|
||||
4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label is shown in the selected row confirming that the rule will be generated.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> [](../images/appcontrol-wizard-event-rule-creation-expanded.png)
|
||||
:::image type="content" alt-text="Adding a publisher rule to the App Control policy" source="../images/appcontrol-wizard-event-rule-creation.png" lightbox="../images/appcontrol-wizard-event-rule-creation.png":::
|
||||
|
||||
5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies.
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
|
||||
1. Select **Start** > type and then select **Edit group policy**.
|
||||
1. Select **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Secure Launch Configuration." source="images/secure-launch-group-policy.png" lightbox="images/secure-launch-group-policy.png":::
|
||||
|
||||
### Windows Security
|
||||
|
||||
@ -52,7 +52,7 @@ Select **Start** > **Settings** > **Update & Security** > **Windows Security** >
|
||||
|
||||
To verify that Secure Launch is running, use System Information (MSInfo32). Select **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
|
||||
|
||||
|
||||
:::image type="content" alt-text="Verifying Secure Launch is running in the Windows Security settings." source="images/secure-launch-msinfo.png" lightbox="images/secure-launch-msinfo.png":::
|
||||
|
||||
> [!NOTE]
|
||||
> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md), [Credential Guard](../identity-protection/credential-guard/index.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user