deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge changes from Pr/10 branch

Browse Source
This commit is contained in:
brbrahm 2020-01-22 14:55:08 -08:00
parent 2862f7232f
commit eeac6857a3
3 changed files with 59 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,11 +1,13 @@
---
title: ApplicationControl CSP
description: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server.
keywords: whitelisting, security, malware
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: ManikaDhiman
ms.reviewer: jsuther1974
ms.date: 05/21/2019
---
@ -61,7 +63,8 @@ This node specifies whether a policy is actually loaded by the enforcement engin
Scope is dynamic. Supported operation is Get.
Value type is bool. Supported values are as follows:
Value type is bool. Supported values are as follows:
- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system.
- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default.
@ -70,7 +73,8 @@ This node specifies whether a policy is deployed on the system and is present on
Scope is dynamic. Supported operation is Get.
Value type is bool. Supported values are as follows:
Value type is bool. Supported values are as follows:
- True — Indicates that the policy is deployed on the system and is present on the physical machine.
- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default.
@ -79,7 +83,7 @@ This node specifies whether the policy is authorized to be loaded by the enforce
Scope is dynamic. Supported operation is Get.
Value type is bool. Supported values are as follows:
Value type is bool. Supported values are as follows:
- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default.
@ -113,20 +117,21 @@ Scope is dynamic. Supported operation is Get.
Value type is char.
## Usage Guidance
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
> ![Note]
> If using Intune standalone or for hybrid management with Configuration Manager (SCCM) through Microsoft Endpoint Manager, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) for more information on deploying policies with ApplicationControl CSP. Microsoft Intune handles the creation of a policy node and does all the below steps to deploy policies on your behalf, so you shouldn't do any of the below steps if using Intune to leverage ApplicationControl CSP.
For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
In order to use ApplicationControl CSP, you must:
## Non-Intune Usage Guidance
- Know a generated policys GUID, which can be found in the policy xml as `<PolicyID>` or `<PolicyTypeID>` for pre-1903 systems.
- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
- Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool.
In order to leverage the ApplicationControl CSP without using Intune, you must:
Here is a sample certutil invocation:
1. Know a generated policys GUID, which can be found in the policy xml as <PolicyID> or <PolicyTypeID> for pre-1903 systems.
2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool.
```
Below is a sample certutil invocation:
```cmd
certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
```
@ -136,16 +141,18 @@ An alternative to using certutil would be to use the following PowerShell invoca
[Convert]::toBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
```
### Deploy policies
### Deploy Policies
In order to deploy a new base policy or supplemental policy using the CSP:
To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below.
- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. Refer to the the Format section in the Example 1 below.
- Repeat for each base or supplemental policy (with its own GUID and data).
To deploy base policy and supplemental policies:
The following example shows the deployment of two base policies and a supplemental policy. Because the supplemental policy already specifies the base policy it supplements, that does not need to be repeated in the ADD.
1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
2. Repeat for each base or supplemental policy (with its own GUID and data).
**Example 1: Add first base policy**
The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD).
#### Example 1: Add first base policy
```xml
<Add>
@ -162,7 +169,7 @@ The following example shows the deployment of two base policies and a supplement
</Add>
```
**Example 2: Add second base policy**
#### Example 2: Add second base policy
```xml
<Add>
@ -179,7 +186,7 @@ The following example shows the deployment of two base policies and a supplement
</Add>
```
**Example 3: Add supplemental policy**
#### Example 3: Add supplemental policy
```xml
<Add>
@ -212,7 +219,7 @@ The following table displays the result of Get operation on different nodes:
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful|
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy|
The following is an example of Get command:
The following is an example of Get command:
```xml
<Get>
@ -227,10 +234,10 @@ The following is an example of Get command:
### Delete policies
To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy**.
To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**.
> [!Note]
> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy** is not sufficient to delete a signed policy.
> [!NOTE]
> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
To delete a signed policy:

80
windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10)
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
description: You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
@ -18,22 +18,20 @@ ms.date: 05/17/2018
---
> [!NOTE]
> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
# Deploy Windows Defender Application Control policies by using Microsoft Intune
**Applies to:**
- Windows 10
- Windows Server 2016
- Windows 10
- Windows Server 2016
Microsoft Intune can be used to configure Windows Defender Application Control (WDAC) on Windows 10 client computers. Intune includes both basic native support for WDAC as well as the option to use Custom OMA-URI for customized policies.
You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited.
Intune includes a limited number of default policies, which are available in both audit and enforce mode. You can use these default policies to only allow Windows components and Microsoft Store apps to run, or choose to also allow reputable apps defined by the [Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md). These policies are currently deployed using the [AppLocker CSP](windows\client-management\mdm\applocker-csp.md), which requires a reboot even for rebootless policies.
In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies via the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
Intune also allows you the option of using Custom OMA-URI to deploy customized policies. Note that beginning in 1903, Custom OMA-URI deployment leverages the new [ApplicationControl CSP](windows\client-management\mdm\applicationcontrol-csp.md), which offers support for [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) and rebootless policies (policies that have the “Enabled:Update Policy No Reboot” option set don't require a reboot to take effect).
## Using Default Intune WDAC Policies
## Using Intune's Built-In Policies
1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
@ -46,53 +44,29 @@ Intune also allows you the option of using Custom OMA-URI to deploy customized p
- **Application control code integrity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run.
- **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps.
![Configure WDAC](images/wdac-intune-wdac-settings.png)
![Configure built-in WDAC](images/wdac-intune-wdac-settings.png)
## Using Custom OMA-URI with ApplicationControl CSP
## Using a Custom OMA-URI Profile
For systems running Windows 10 version 1903 and above, the steps to use Custom OMA-URI functionality to leverage the [ApplicationControl CSP](windows\client-management\mdm\applicationcontrol-csp.md) and apply a Code Integrity policy are:
For 1903+ systems, the steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy are:
<!--TODO: add screenshots-->
1. Locate the policys GUID, which can be found in the policy xml as `<PolicyID>`
1. Know a generated policys GUID, which can be found in the policy xml as `<PolicyID>`
2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
5. Add a row, then give your policy a name and use the following settings:
- **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
- **Data type**: Base64
- **Certificate file**: upload your binary format policy file
![PolicyID](images/policy-id.png)
![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png)
2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. The binary policy may be signed or unsigned.
```powershell
ConvertFrom-CIPolicy -XmlFilePath ".\Policy.xml" - BinaryFilePath "Policy.bin"
```
3. In the Intune portal, navigate to Device configuration, then Profiles, then create a profile.
![Create profile](images/wdac-intune-custom-create-profile-name.png)
4. Name your policy, set Platform to Windows 10 and later, and change profile type to Custom (OMA-URI). Add a row and use the following:
- OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy
- Data type: Base64
- Certificate file: upload your binary format policy file
![Create Custom OMA-URI](images/wdac-intune-custom-oma-uri.png)
5. Set Scope and Applicability Rules, then save your policy.
6. Finally, assign your policy to the appropriate groups.
![Assign policy](wdac-intune-custom-assignment.png)
## Using Custom OMA-URI with AppLocker CSP
If you need to deploy your policies to clients running older versions of Windows 10, use Custom OMA-URI to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp):
<!--TODO: confirm if these steps are correct-->
1. Convert the policy to binary format using the ConvertFrom-CIPolicy cmdlet. The binary policy may be signed or unsigned.
2. In the Intune portal, navigate to Device configuration, then Profiles, then create a profile.
3. Name your policy, set Platform to Windows 10 and later, and change profile type to Custom (OMA-URI). Add a row and use the following:
- OMA-URI: ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy
- Data type: Base64
- Certificate file: upload your binary format policy file
4. Set Scope and Applicability Rules, then save your policy.
5. Finally, assign your policy to the appropriate groups.
For pre-1903 systems, the steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy are:
1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
4. Add a row, then give your policy a name and use the following settings:
- **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
- **Data type**: Base64
- **Certificate file**: upload your binary format policy file

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 77 KiB

After

Width:  |  Height:  |  Size: 77 KiB