From 4960f266b9d149bf45af15c8e5da63711c5acb00 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 9 Aug 2021 10:45:43 -0700 Subject: [PATCH 1/5] Created a new section Deploy Managed Installer. --- ...-apps-deployed-with-a-managed-installer.md | 99 +++++++++++++++++-- 1 file changed, 91 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 5028f2de9f..2b1f04c83c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -93,27 +93,86 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below. +An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and Powershell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. ```xml - - + + + + - - + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + ``` - ### Enable service enforcement in AppLocker policy Since many installation processes rely on services, it is typically necessary to enable tracking of services. @@ -214,3 +273,27 @@ Ea Value Length: 7e ## Enabling managed installer logging events Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. + +## Deploying the Managed Installer + +Once you've completed configuring your chosen Managed Installer, by specifying which to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. + +1. Using the following command to deploy the policy. + ```powershell + Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue + ``` + +2. Verify policy deployment + ```powershell + Get-AppLockerPolicy -Local + + Version RuleCollections RuleCollectionTypes + ------- --------------- ------------------- + 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} + ``` + Notice the output shows the ManagedInstaller rule is there. + +3. Get the policy XML (optional) using PS: + ```powershell + Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue + ``` \ No newline at end of file From 40db0defb89e68c9f6cddc97f6bb9f537b145272 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 10 Aug 2021 11:57:33 -0700 Subject: [PATCH 2/5] Update configure-authorized-apps-deployed-with-a-managed-installer.md --- ...igure-authorized-apps-deployed-with-a-managed-installer.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 2b1f04c83c..980f12be1b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 07/15/2021 +ms.date: 08/10/2021 ms.technology: mde --- @@ -296,4 +296,4 @@ Once you've completed configuring your chosen Managed Installer, by specifying w 3. Get the policy XML (optional) using PS: ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue - ``` \ No newline at end of file + ``` From 79374e0892df854a1538d3555622f25b7bdb0c51 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 10 Aug 2021 12:05:54 -0700 Subject: [PATCH 3/5] Implemented Jordan's suggested edits. --- ...-authorized-apps-deployed-with-a-managed-installer.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 980f12be1b..3d3dfe707c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -283,17 +283,22 @@ Once you've completed configuring your chosen Managed Installer, by specifying w Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue ``` -2. Verify policy deployment +2. Verify Deployment of the Rule set was successful ```powershell + $policyFile= + @" + Raw_AppLocker_Policy_XML + "@ Get-AppLockerPolicy -Local Version RuleCollections RuleCollectionTypes ------- --------------- ------------------- 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} ``` - Notice the output shows the ManagedInstaller rule is there. + Verify the output shows the ManagedInstaller rule set. 3. Get the policy XML (optional) using PS: ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue ``` + This command will show the raw XML to verify the individual rules that were set. \ No newline at end of file From 26ecad46c2b81d9cb37340ce6b7e187f76ddef09 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 10 Aug 2021 12:10:16 -0700 Subject: [PATCH 4/5] Made one correction and place policy file declaration in proper location. --- ...horized-apps-deployed-with-a-managed-installer.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 3d3dfe707c..0ab03f97aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -280,22 +280,22 @@ Once you've completed configuring your chosen Managed Installer, by specifying w 1. Using the following command to deploy the policy. ```powershell + $policyFile= + @" + Raw_AppLocker_Policy_XML + "@ Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue ``` 2. Verify Deployment of the Rule set was successful ```powershell - $policyFile= - @" - Raw_AppLocker_Policy_XML - "@ Get-AppLockerPolicy -Local Version RuleCollections RuleCollectionTypes ------- --------------- ------------------- - 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} + 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} ``` - Verify the output shows the ManagedInstaller rule set. + Verify the output shows the ManagedInstaller rule set. 3. Get the policy XML (optional) using PS: ```powershell From 664cd58e1cfefdd7101dc651d54d76aaf36c9ac9 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 11 Aug 2021 12:30:04 -0700 Subject: [PATCH 5/5] Applied addition edit suggestions. --- ...horized-apps-deployed-with-a-managed-installer.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 0ab03f97aa..15639fd8d3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -93,7 +93,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and Powershell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. +An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. ```xml @@ -274,11 +274,11 @@ Ea Value Length: 7e Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. -## Deploying the Managed Installer +## Deploying the Managed Installer rule collection -Once you've completed configuring your chosen Managed Installer, by specifying which to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. +Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. -1. Using the following command to deploy the policy. +1. Use the following command to deploy the policy. ```powershell $policyFile= @" @@ -287,7 +287,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue ``` -2. Verify Deployment of the Rule set was successful +2. Verify Deployment of the ruleset was successful ```powershell Get-AppLockerPolicy -Local @@ -297,7 +297,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w ``` Verify the output shows the ManagedInstaller rule set. -3. Get the policy XML (optional) using PS: +3. Get the policy XML (optional) using PowerShell: ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue ```