3.6 KiB
title, description, keywords, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, audience, ms.collection, author, ms.reviewer, ms.author, manager, ms.date, ms.technology
| title | description | keywords | ms.assetid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.localizationpriority | audience | ms.collection | author | ms.reviewer | ms.author | manager | ms.date | ms.technology |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Managed installer and ISG technical reference and troubleshooting guide (Windows) | Explains how to configure a custom Manged Installer. | security, malware | 8d6e0474-c475-411b-b095-1c61adb2bdbb | m365-security | deploy | library | security | medium | ITPro | M365-security-compliance | jsuther1974 | isbrahm | dansimp | dansimp | 08/14/2020 | windows-sec |
Managed installer and ISG technical reference and troubleshooting guide
Applies to:
- Windows 10
- Windows 11
- Windows Server 2019 and above
Note
Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the Application Control feature availability.
Using fsutil to query SmartLocker EA
Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events.
Example:
fsutil file queryEA C:\Users\Temp\Downloads\application.exe
Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe:
Ea Buffer Offset: 410
Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM
Ea Value Length: 7e
0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. *
0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\......
0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:.
0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T.
0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n...
0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l.
0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e
Enabling managed installer logging events
Refer to Understanding Application Control Events for information on enabling optional managed installer diagnostic events.
Deploying the Managed Installer rule collection
Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it.
-
Use the following command to deploy the policy.
$policyFile= @" Raw_AppLocker_Policy_XML "@ Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue -
Verify Deployment of the ruleset was successful
Get-AppLockerPolicy -Local Version RuleCollections RuleCollectionTypes ------- --------------- ------------------- 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...}Verify the output shows the ManagedInstaller rule set.
-
Get the policy XML (optional) using PowerShell:
Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinueThis command will show the raw XML to verify the individual rules that were set.