Merge pull request MicrosoftDocs#2486 from MicrosoftDocs/master

garycentric · web-flow · commit 8ba8b404d366 · 2021-06-04T16:02:48.000-07:00
Publish 06/04/2021, 3:30 PM
diff --git a/docset/winserver2022-ps/configci/New-CIPolicy.md b/docset/winserver2022-ps/configci/New-CIPolicy.md
@@ -19,13 +19,13 @@ Creates a Code Integrity policy as an .xml file.
 ```
 New-CIPolicy [-FilePath] <String> [-DriverFiles <DriverFile[]>] -Level <RuleLevel> [-Fallback <RuleLevel[]>]
  [-Audit] [-ScanPath <String>] [-ScriptFileNames] [-UserPEs] [-NoScript] [-Deny] [-NoShadowCopy]
- [-OmitPaths <String[]>] [-PathToCatroot <String>] [<CommonParameters>]
+ [-OmitPaths <String[]>] [-PathToCatroot <String>] [-MultiplePolicyFormat] [<CommonParameters>]
 ```
 
 ### Rules
 ```
 New-CIPolicy [-FilePath] <String> -Rules <Rule[]> [-Audit] [-ScanPath <String>] [-ScriptFileNames] [-UserPEs]
- [-NoScript] [-Deny] [-NoShadowCopy] [-OmitPaths <String[]>] [-PathToCatroot <String>] [<CommonParameters>]
+ [-NoScript] [-Deny] [-NoShadowCopy] [-OmitPaths <String[]>] [-PathToCatroot <String>] [-MultiplePolicyFormat] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -43,18 +43,18 @@ If you specify the **Audit** parameter, this cmdlet scans the Code Integrity Aud
 
 ## EXAMPLES
 
-### Example 1: Create a policy
+### Example 1: Create a policy in multiple policy format
 ```
-The first command scans for user-mode executables (applications) along with kernel-mode binaries such as drivers and creates rules at the Publisher level. The command creates a policy and stores it in the file that is named Policy.xml. This command specifies the **OmitPaths** parameter to exclude files in the temp\ConfigCITestBinaries folder. The command specifies the **NoScript** parameter so that it gets information for only PE files.
-PS C:\> New-CIPolicy -ScanPath '.\temp\' -UserPEs -OmitPaths '.\temp\ConfigCITestBinaries' -NoScript -FilePath '.\Policy.xml' -Level Publisher
+PS C:\> New-CIPolicy -ScanPath '.\temp\' -UserPEs -OmitPaths '.\temp\ConfigCITestBinaries' -NoScript -FilePath '.\Policy.xml' -Level Publisher -MultiplePolicyFormat
 Scan completed successfully
 
 The second command displays the contents of the policy. 
 PS C:\> Get-Content -Path '.\policy.xml'
 <?xml version="1.0" encoding="utf-8"?>
-<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
+<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy">
   <VersionEx>10.0.0.0</VersionEx>
-  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
+  <BasePolicyID>{BB9EC112-DD85-41AD-9778-22680D3D8A22}</BasePolicyID>
+  <PolicyID>{BB9EC112-DD85-41AD-9778-22680D3D8A22}</PolicyID>
   <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
   <Rules>
     <Rule>
@@ -210,6 +210,8 @@ Hash="DA737C142A51A73D82E6AD677474C8031486FDEF018A6FE9D178564F83AB284B" />
 </SiPolicy>
 ```
 
+The first command scans for user-mode executables (applications) along with kernel-mode binaries such as drivers and creates rules at the Publisher level. The command creates a policy in multiple policy format and stores it in the file that is named Policy.xml. This command specifies the **OmitPaths** parameter to exclude files in the temp\ConfigCITestBinaries folder. The command specifies the **NoScript** parameter so that it gets information for only portable executable files (PE files).
+
 ### Example 2: Scan unsigned files
 ```
 PS C:\> New-CIPolicy -ScanPath '.\temp\' -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash
@@ -539,6 +541,22 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -MultiplePolicyFormat
+Indicates that this cmdlet should create a policy in multiple policy format as opposed to a single policy format. 
+Refer to [Create WDAC policies in Multiple Policy Format](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies#creating-wdac-policies-in-multiple-policy-format) for the difference between the policy formats. 
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: None
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
 
diff --git a/docset/winserver2022-ps/configci/New-CIPolicyRule.md b/docset/winserver2022-ps/configci/New-CIPolicyRule.md
@@ -11,7 +11,7 @@ title: New-CIPolicyRule
 # New-CIPolicyRule
 
 ## SYNOPSIS
-Generates Code Integrity policy rules for drivers.
+Generates Code Integrity policy rules for user mode code and drivers.
 
 ## SYNTAX
 
@@ -33,6 +33,11 @@ New-CIPolicyRule -FilePathRule <String> [-Deny]
  [-ScriptFileNames] [<CommonParameters>]
 ```
 
+### PackagedAppRule
+```
+New-CIPolicyRule -Package <String> [-Deny] [<CommonParameters>]
+```
+
 ## DESCRIPTION
 The **New-CIPolicyRule** cmdlet generates Code Integrity policy rules for drivers.
 Specify a rule level and an array of **DriverFile** objects or the path of a driver.
@@ -192,6 +197,49 @@ attributes     : {[AppIDs, ], [MinimumFileVersion, 0.0.0.0], [FilePath, .\temp\C
 
 This command generates a filepath rule for the specific path verbatim string. This will allow anything in the parent folder. 
 
+### Example 5: Create a policy rule for a packaged application and its dependencies
+```
+PS C:\> $package = Get-AppxPackage -Name *Microsoft.Whiteboard*
+PS C:\> $package_dependencies = $package.Dependencies
+
+PS C:\> $package_rule = New-CIPolicyRule -Package $package
+PS C:\> $package_rule += New-CIPolicyRule -Package $dependency[0] # repeat for all dependencies in array
+```
+```output
+PS C:\> $package_rule
+
+
+Name           : Microsoft.Whiteboard_8wekyb3d8bbwe FileRule
+Id             : ID_ALLOW_A_D
+TypeId         : Allow
+Root           : 
+FileVersionRef : 
+AppIDRef       : 
+Wellknown      : False
+Ekus           : 
+Exceptions     : 
+FileAttributes : 
+FileException  : False
+UserMode       : True
+attributes     : {[AppIDs, ], [MinimumFileVersion, 0.0.0.0], [PackageFamilyName, Microsoft.Whiteboard_8wekyb3d8bbwe], [PackageVersion, 21.10503.5662.0]}
+
+Name           : Microsoft.NET.Native.Runtime.2.2_8wekyb3d8bbwe FileRule
+Id             : ID_ALLOW_A_E
+TypeId         : Allow
+Root           : 
+FileVersionRef : 
+AppIDRef       : 
+Wellknown      : False
+Ekus           : 
+Exceptions     : 
+FileAttributes : 
+FileException  : False
+UserMode       : True
+attributes     : {[AppIDs, ], [MinimumFileVersion, 0.0.0.0], [PackageFamilyName, Microsoft.NET.Native.Runtime.2.2_8wekyb3d8bbwe], [PackageVersion, 2.2.28604.0]}
+```
+
+This set of commands finds a packaged application matching the specified name and generates an allow rule for the packaged application and its dependencies. 
+
 
 ## PARAMETERS
 
@@ -293,6 +341,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -Package
+Specifies the packaged app (MSIX/Appx) to base the rule. 
+
+```yaml
+Type: AppxPackage
+Parameter Sets: (All)
+Aliases: None
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ScriptFileNames
 
 ```yaml
diff --git a/docset/winserver2022-ps/configci/Set-CIPolicyIdInfo.md b/docset/winserver2022-ps/configci/Set-CIPolicyIdInfo.md
@@ -16,7 +16,7 @@ Modifies the name and ID of a Code Integrity policy.
 ## SYNTAX
 
 ```
-Set-CIPolicyIdInfo [-FilePath] <String> [-PolicyName <String>] [-PolicyId <String>] [<CommonParameters>]
+Set-CIPolicyIdInfo [-FilePath] <String> [-PolicyName <String>] [-PolicyId <String>] [-BasePolicyToSupplementPath <string>] [-SupplementsBasePolicyID <Guid>] [-ResetPolicyID] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -40,6 +40,13 @@ PS C:\> Set-CIPolicyIdInfo -FilePath ".\Policy03.xml" -PolicyName "CIPolicy77"
 
 This command modifies only the policy name for the policy stored in the Policy03.xml file.
 
+### Example 3: Specify the base policy ID of a supplemental policy
+```
+PS C:\> Set-CIPolicyIdInfo -FilePath ".\Supplemental_Policy.xml" -BasePolicyToSupplementPath ".\Base_Policy.xml"
+```
+
+This command will extract the PolicyID field from the Base_Policy.xml file and modify the BasePolicyID field in the Supplemental_Policy.xml file.
+
 ## PARAMETERS
 
 ### -FilePath
@@ -88,6 +95,52 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -BasePolicyToSupplementPath
+Specifies the path to a base policy to get the value for the **BasePolicyID** property for a supplemental policy.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: None
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SupplementsBasePolicyID
+Specifies the value for the **BasePolicyID** property for a supplemental policy.
+
+```yaml
+Type: Guid
+Parameter Sets: (All)
+Aliases: None
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResetPolicyID
+Resets both the PolicyID and BasePolicyID values. This parameter will convert a single-policy format policy to multi-policy format. 
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: None
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
 
@@ -100,4 +153,3 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
 ## RELATED LINKS
 
 [Get-CIPolicyIdInfo](./Get-CIPolicyIdInfo.md)
-
