deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-22 18:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/application-security/application-control/app-control-for-business/design/use-appcontrol-policy-to-control-specific-plug-ins-add-ins-and-modules.md
Vinay Pamnani (from Dev Box) f9d16c6b2a Update dates in App Control for Business documentation
2024-09-11 14:51:13 -06:00

2.4 KiB
Raw Blame History

title, description, ms.localizationpriority, ms.date, ms.topic
title description ms.localizationpriority ms.date ms.topic
Use an App Control for Business policy to control specific plug-ins, add-ins, and modules App Control policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps. medium 09/11/2024 how-to

Use an App Control for Business policy to control specific plug-ins, add-ins, and modules

[!INCLUDE Feature availability note]

You can use App Control for Business policies to control applications and also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):

Approach Guideline
You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. Use New-CIPolicyRule with the -AppID option.
In addition, you can work from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. Use New-CIPolicyRule with the -AppID and -Deny options.

For example, to add rules to an App Control policy called "Lamna_FullyManagedClients_Audit.xml" that allow addin1.dll and addin2.dll to be run by ERP1.exe, Lamna's enterprise resource planning (ERP) application, run the following commands. In the second command, += is used to add a second rule to the $rule variable:

$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe'

As another example, to create an App Control for Business policy that blocks addin3.dll from running in Microsoft Word, run the following command. You must include the -Deny option to block the specified add-ins in the specified application. Once you have all the rules you want, you can merge them into an existing App Control policy using the Merge-CIPolicy cmdlet as shown here:

$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe'
Merge-CIPolicy -OutputFilePath .\Lamna_FullyManagedClients_Audit.xml -PolicyPaths .\Lamna_FullyManagedClients_Audit.xml -Rules $rule