Edit

Use WDAC and Windows PowerShell to allow or blocks apps on HoloLens 2 devices with Microsoft Intune

  • Article

Microsoft HoloLens 2 devices support the Windows Defender Application Control (WDAC) CSP, which replaces the AppLocker CSP.

Using Windows PowerShell and Microsoft Intune, you can use the WDAC CSP to allow or block specific apps from opening on Microsoft HoloLens 2 devices. For example, you may want to allow or prevent the Cortana app from opening on HoloLens 2 devices in your organization.

This feature applies to:

  • HoloLens 2 devices running Windows Holographic for Business

The WDAC CSP is based on the Windows Defender Application Control (WDAC) feature. You can also use multiple WDAC policies.

This article shows you how to:

  1. Use Windows PowerShell to create WDAC policies.
  2. Use Windows PowerShell to convert the WDAC policy rules to XML, update the XML, and then convert the XML to a binary file.
  3. In Microsoft Intune, create a custom device configuration profile, add this WDAC policy binary file, and apply the policy to your HoloLens 2 devices.

In Intune, you must create a custom configuration profile to use the Windows Defender Application Control (WDAC) CSP.

Use the steps in this article as a template to allow or deny specific apps from opening on HoloLens 2 devices.

Prerequisites

  • Be familiar with Windows PowerShell.

  • Sign in to Intune as a member of:

    • Policy and Profile Manager or Intune Role Administrator Intune role

      OR

    • Global Administrator or Intune Service Administrator Azure AD role

    For more information on Intune roles, go to Role-based access control (RBAC) with Intune.

  • Create a user group or devices group with your HoloLens 2 devices. For more information on groups, go to User groups vs. device groups.

Example

This example uses Windows PowerShell to create a Windows Defender Application Control (WDAC) policy. The policy prevents specific apps from opening. Then, use Intune to deploy the policy to HoloLens 2 devices.

  1. On your desktop computer, open the Windows PowerShell app.

  2. Get information about the installed application package on your desktop computer and HoloLens:

    $package1 = Get-AppxPackage -name *<applicationname>*

    For example, enter:

    $package1 = Get-AppxPackage -name Microsoft.MicrosoftEdge

    Next, confirm the package has application attributes:

    $package1

    App details similar to the following attributes are shown:

    Name              : Microsoft.MicrosoftEdge
Publisher         : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture      : Neutral
ResourceId        :
Version           : 44.20190.1000.0
PackageFullName   : Microsoft.MicrosoftEdge_44.20190.1000.0_neutral__8wekyb3d8bbwe
InstallLocation   : C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
IsFramework       : False
PackageFamilyName : Microsoft.MicrosoftEdge_8wekyb3d8bbwe
PublisherId       : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle          : False
IsDevelopmentMode : False
NonRemovable      : True
IsPartiallyStaged : False
SignatureKind     : System
Status            : Ok

  3. Create a WDAC policy, and add the app package to the DENY rule:

    $rule = New-CIPolicyRule -Package $package1 -Deny

  4. Repeat steps 2 and 3 for any other applications you want to DENY:

    $rule += New-CIPolicyRule -Package $package<2..n> -Deny

    For example, enter:

    $package2 = Get-AppxPackage -name *windowsstore*
$rule += New-CIPolicyRule -Package $package<2..n>  -Deny

  5. Convert the WDAC policy to newPolicy.xml:

    Note

    You can block apps that are only installed on HoloLens devices. For more information, go to package family names for apps on HoloLens.

    New-CIPolicy -rules $rule -f .\newPolicy.xml -UserPEs

    To target all versions of an app, in newPolicy.xml, be sure PackageVersion="65535.65535.65535.65535" is in Deny node:

    <Deny ID="ID_DENY_D_1" FriendlyName="Microsoft.WindowsStore_8wekyb3d8bbwe FileRule" PackageFamilyName="Microsoft.WindowsStore_8wekyb3d8bbwe" PackageVersion="65535.65535.65535.65535" />

    For PackageFamilyNameRules, you can use the following versions:

    • Allow: Enter PackageVersion, 0.0.0.0, which means "Allow this version and above".
    • Deny: Enter PackageVersion, 65535.65535.65535.65535, which means "Deny this version and below".

  6. If you plan to deploy and run any apps that didn't originate from the Microsoft Store, such as line of business apps (see App Management), then explicitly allow these apps by adding their signer to the WDAC policy.

    Note

    Using WDAC and LOB apps is currently only available in Windows Insiders features for HoloLens.

    For example, you plan on deploying ATestApp.msix. ATestApp.msix is signed by the TestCert.cer certificate. Use the following Windows PowerShell script to add the signer to the WDAC policy:

    Add-SignerRule -FilePath .\newPolicy.xml -CertificatePath .\TestCert.cer -User

  7. Merge newPolicy.xml with the default policy that's on your desktop computer. This step creates mergedPolicy.xml. For example, allow the Windows, WHQL signed drivers, and Store signed apps to run:

    Merge-CIPolicy -PolicyPaths .\newPolicy.xml,C:\Windows\Schemas\codeintegrity\examplepolicies\DefaultWindows_Audit.xml -o mergedPolicy.xml

  8. Disable the Audit mode rule in mergedPolicy.xml. When you merge, audit mode is automatically turned on:

    Set-RuleOption -o 3 -Delete .\mergedPolicy.xml

  9. Enable the InvalidateEAs on a reboot rule in mergedPolicy.xml:

    Set-RuleOption -o 15 .\mergedPolicy.xml

    For more information on these rules, go to Understand WDAC policy rules and file rules.

  10. Convert mergedPolicy.xml to binary format. This step creates compiledPolicy.bin. In a later step, you add this compiledPolicy.bin binary file to Intune.

    ConvertFrom-CIPolicy .\mergedPolicy.xml .\compiledPolicy.bin

  11. Create the custom device configuration profile in Intune:

    1. In the Microsoft Intune admin center, create a Windows 10/11 custom device configuration profile.

      For the specific steps, go to Create a custom profile using OMA-URI in Intune.

    2. When you create the profile, enter the following settings:

    • OMA-URI: Enter ./Vendor/MSFT/ApplicationControl/Policies/<PolicyGUID>/Policy. Replace <PolicyGUID> with the PolicyTypeID node in the mergedPolicy.xml file you created in step 6.

      Using our example, enter ./Vendor/MSFT/ApplicationControl/Policies/A244370E-44C9-4C06-B551-F6016E563076/Policy.

      The policy GUID must match the PolicyTypeID node in the mergedPolicy.xml file (created in step 6).

      The OMA-URI uses the ApplicationControl CSP. For more information on the nodes in this CSP, go to ApplicationControl CSP.

    • Data type: Set to Base64 file. It automatically converts the file from bin to base64.

    • Certificate file: Upload the compiledPolicy.bin binary file (created in step 10).

    Your settings look similar to the following settings:

    Add a custom OMA-URI to configure ApplicationControl CSP in Microsoft Intune.

  12. When the profile is assigned to your HoloLens 2 group, check the profile status. After the profile successfully applies, reboot the HoloLens 2 devices.

Next steps

Assign the profile, and monitor its status.

Learn more about custom profiles in Intune.