现在我们使用私人商店,因此可以稍微减少 Applocker 打包应用程序规则的数量。我们正在研究仅限发布者的规则(目前,每个微软商店应用程序都有 1 条规则)。
我们希望为所有 Microsoft 应用程序制定一条规则。(帮助我们减少 90% 的规则)。
试图弄清楚为什么我的“仅发布者”规则不起作用。
为了简单起见,我将规则缩减为仅限 Windows 商店。它可以正常运行和打开。
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="963d36c4-c0dd-4831-b4f4-240bd4b75813" Name="Packaged app: Microsoft.WindowsStore, version 12001.1001.1.0, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
如果我设置此策略规则(允许所有 Microsoft 签名的应用程序),商店将被阻止
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="939fb295-f744-4298-bc31-be2e6178c15e" Name="Signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
如果我启用商店和所有 Microsoft 发布的应用程序,那么商店就会出现,但 Microsoft 精选的任何应用程序都不会被允许。
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="963d36c4-c0dd-4831-b4f4-240bd4b75813" Name="Packaged app: Microsoft.WindowsStore, version 12001.1001.1.0, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="939fb295-f744-4298-bc31-be2e6178c15e" Name="Signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
以下是我的注册表在 Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Appx 2 规则下的样子 - 商店和所有 Microsoft
答案1
我查看了事件日志(Microsoft -> Windows -> Applocker -> Package app-Deployment)以查找被阻止的条目。
常规选项卡没什么用,但我进入 xml 详细信息并找到了正确的发布者值
<FilePublisherRule Id="939fb295-f744-4298-bc31-be2e6178c15f" Name="Signed by Microsoft Corporation (Different CN)" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=MICROSOFT CORPORATION, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>