Bewerken

Delen via


ApplicationControl CSP

App Control for Business policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for multiple policies (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the AppLocker CSP, the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.

Existing App Control for Business policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although App Control policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.

The following list shows the ApplicationControl configuration service provider nodes:

Policies

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies

Beginning of a Subtree that contains all policies.

Each policy is identified by their globally unique identifier (GUID).

Description framework properties:

Property name Property value
Format node
Access Type Get

Policies/{Policy GUID}

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}

The GUID of the Policy.

Each Policy GUID node contains a Policy node and a corresponding PolicyInfo node.

Description framework properties:

Property name Property value
Format node
Access Type Get
Dynamic Node Naming UniqueName: The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob.

Policies/{Policy GUID}/Policy

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/Policy

The policy binary encoded as base64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet.

Default value is empty.

Description framework properties:

Property name Property value
Format b64
Access Type Add, Delete, Get, Replace

Policies/{Policy GUID}/PolicyInfo

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo

Information Describing the Policy indicated by the GUID.

Description framework properties:

Property name Property value
Format node
Access Type Get
Policies/{Policy GUID}/PolicyInfo/BasePolicyId
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/BasePolicyId

The BasePolicyId of the Policy Indicated by the Policy GUID.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get
Policies/{Policy GUID}/PolicyInfo/FriendlyName
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/FriendlyName

The FriendlyName of the Policy Indicated by the Policy GUID.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get
Policies/{Policy GUID}/PolicyInfo/IsAuthorized
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsAuthorized

Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system.

Supported values are as follows:

  • True: Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
  • False: Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value.

Description framework properties:

Property name Property value
Format bool
Access Type Get
Policies/{Policy GUID}/PolicyInfo/IsBasePolicy
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsBasePolicy

TRUE/FALSE if the Policy is a Base Policy versus a Supplemental Policy.

Description framework properties:

Property name Property value
Format bool
Access Type Get
Policies/{Policy GUID}/PolicyInfo/IsDeployed
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsDeployed

Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)

Supported values are as follows:

  • True: Indicates that the policy is deployed on the system and is present on the physical machine.
  • False: Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value.

Description framework properties:

Property name Property value
Format bool
Access Type Get
Policies/{Policy GUID}/PolicyInfo/IsEffective
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsEffective

Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)

Supported values are as follows:

  • True: Indicates that the policy is loaded by the enforcement engine and is in effect on a system.
  • False: Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value.

Description framework properties:

Property name Property value
Format bool
Access Type Get
Policies/{Policy GUID}/PolicyInfo/IsSystemPolicy
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsSystemPolicy

TRUE/FALSE if the Policy is a System Policy, that's a policy managed by Microsoft as part of the OS.

Description framework properties:

Property name Property value
Format bool
Access Type Get
Policies/{Policy GUID}/PolicyInfo/PolicyOptions
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/PolicyOptions

The PolicyOptions of the Policy Indicated by the Policy GUID.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get
Policies/{Policy GUID}/PolicyInfo/Status
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/Status

The Current Status of the Policy Indicated by the Policy GUID.

Default value is 0, which indicates that the policy status is OK.

Description framework properties:

Property name Property value
Format int
Access Type Get
Policies/{Policy GUID}/PolicyInfo/Version
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/Version

Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Tokens

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Tokens

Beginning of a Subtree that contains all tokens.

Description framework properties:

Property name Property value
Format node
Access Type Get

Tokens/{ID}

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Tokens/{ID}

Arbitrary ID used to differentiate tokens.

Description framework properties:

Property name Property value
Format node
Access Type Get
Dynamic Node Naming UniqueName: The ApplicationControl CSP enforces that the "ID" segment of a given token URI is unique.

Tokens/{ID}/Token

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Tokens/{ID}/Token

The token binary encoded as base64. Supported value is a binary file, obtained from the OneCoreDeviceUnlockService.

Description framework properties:

Property name Property value
Format b64
Access Type Add, Delete, Get, Replace

Tokens/{ID}/TokenInfo

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo

Information Describing the Token indicated by the corresponding ID.

Description framework properties:

Property name Property value
Format node
Access Type Get
Tokens/{ID}/TokenInfo/Status
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo/Status

The Current Status of the Token Indicated by the Token ID.

Description framework properties:

Property name Property value
Format int
Access Type Get
Tokens/{ID}/TokenInfo/Type
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo/Type

The Type of Token Indicated by the Token ID.

Description framework properties:

Property name Property value
Format int
Access Type Get

IsAuthorized, IsDeployed, and IsEffective values

The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes:

IsAuthorized IsDeployed IsEffective Resultant
True True True Policy is currently running and is in effect.
True True False Policy requires a reboot to take effect.
True False True Policy requires a reboot to unload from CI.
False True True Not Reachable.
True False False *Not Reachable.
False True False *Not Reachable.
False False True Not Reachable.
False False False *Not Reachable.

* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.

Microsoft Intune Usage Guidance

For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to Deploy App Control for Business policies by using Microsoft Intune.

Generic MDM Server Usage Guidance

In order to use the ApplicationControl CSP without using Intune, you must:

  1. Know a generated policy's GUID, which can be found in the policy xml as <PolicyID> or <PolicyTypeID> for pre-1903 systems.
  2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
  3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command-line tool.

Below is a sample certutil invocation:

certutil  -encode WinSiPolicy.p7b WinSiPolicy.cer

An alternative to using certutil would be to use the following PowerShell invocation:

[Convert]::toBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))

Deploy Policies

To deploy a new base policy using the CSP, perform an ADD on ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy using the Base64-encoded policy node as {Data}. Refer to the Format section in the Example 1 below.

To deploy base policy and supplemental policies:

  1. Perform an ADD on ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
  2. Repeat for each base or supplemental policy (with its own GUID and data).

The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and doesn't need that reflected in the ADD).

Example 1: Add first base policy

<Add>
    <CmdID>1</CmdID>
    <Item>
        <Target>
            <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{Base1GUID}/Policy</LocURI>
        </Target>
        <Meta>
             <Format xmlns="syncml:metinf">b64</Format>
        </Meta>
        <Data> {Base1Data} </Data>
    </Item>
</Add>

Example 2: Add second base policy

<Add>
    <CmdID>1</CmdID>
    <Item>
        <Target>
            <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{Base2GUID}/Policy</LocURI>
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">b64</Format>
        </Meta>
        <Data> {Base2Data} </Data>
    </Item>
</Add>

Example 3: Add supplemental policy

<Add>
    <CmdID>1</CmdID>
    <Item>
        <Target>
            <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{Supplemental1GUID}/Policy</LocURI>
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">b64</Format>
        </Meta>
        <Data> {Supplemental1Data} </Data>
    </Item>
</Add>

Get policies

Perform a GET using a deployed policy's GUID to interrogate/inspect the policy itself or information about it.

The following table displays the result of Get operation on different nodes:

Nodes Get Results
./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy raw p7b
./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/PolicyInfo/Version Policy version
./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/PolicyInfo/IsEffective Is the policy in effect
./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/PolicyInfo/IsDeployed Is the policy on the system
./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/PolicyInfo/IsAuthorized Is the policy authorized on the system
./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/PolicyInfo/Status Was the deployment successful
./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/PolicyInfo/FriendlyName Friendly name per the policy

An example of Get command is:

 <Get>
    <CmdID>1</CmdID>
        <Item>
            <Target>
                <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{PolicyGUID}/Policy</LocURI>
            </Target>
        </Item>
 </Get>

Delete policies

Rebootless Deletion

Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This sequence will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.

Unsigned Policies

To delete an unsigned policy, perform a DELETE on ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy.

Signed Policies

Note

A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy isn't sufficient to delete a signed policy.

To delete a signed policy:

  1. Replace it with a signed update allowing unsigned policy.
  2. Deploy another update with unsigned Allow All policy.
  3. Perform delete.

An example of Delete command is:

   <Delete>
     <CmdID>1</CmdID>
        <Item>
            <Target>
                  <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{PolicyGUID}/Policy</LocURI>
            </Target>
        </Item>
   </Delete>

PowerShell and WMI Bridge Usage Guidance

The ApplicationControl CSP can also be managed locally from PowerShell or via Configuration Manager's task sequence scripting by using the WMI Bridge Provider.

Setup for using the WMI Bridge

  1. Convert your App Control policy to Base64.

  2. Open PowerShell in Local System context (through PSExec or something similar).

  3. Use WMI Interface:

    $namespace = "root\cimv2\mdm\dmmap"
    $policyClassName = "MDM_ApplicationControl_Policies01_01"
    $policyBase64 = "<base64policy>"
    

Deploying a policy via WMI Bridge

Run the following command. PolicyID is a GUID that can be found in the policy xml, and should be used here without braces.

New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{ParentID="./Vendor/MSFT/ApplicationControl/Policies";InstanceID="<PolicyID>";Policy=$policyBase64}

Querying all policies via WMI Bridge

Get-CimInstance -Namespace $namespace -ClassName $policyClassName

Configuration service provider reference