Use WDAC and Windows PowerShell to allow or blocks apps on HoloLens 2 devices with Microsoft Intune
Using Windows PowerShell and Microsoft Intune, you can use the WDAC CSP to allow or block specific apps from opening on Microsoft HoloLens 2 devices. For example, you may want to allow or prevent the Cortana app from opening on HoloLens 2 devices in your organization.
This feature applies to:
- HoloLens 2 devices running Windows Holographic for Business
The WDAC CSP is based on the Windows Defender Application Control (WDAC) feature. You can also use multiple WDAC policies.
This article shows you how to:
- Use Windows PowerShell to create WDAC policies.
- Use Windows PowerShell to convert the WDAC policy rules to XML, update the XML, and then convert the XML to a binary file.
- In Microsoft Intune, create a custom device configuration profile, add this WDAC policy binary file, and apply the policy to your HoloLens 2 devices.
In Intune, you must create a custom configuration profile to use the Windows Defender Application Control (WDAC) CSP.
Use the steps in this article as a template to allow or deny specific apps from opening on HoloLens 2 devices.
Be familiar with Windows PowerShell.
Sign in to Intune as a member of:
Policy and Profile Manager or Intune Role Administrator Intune role
Global Administrator or Intune Service Administrator Azure AD role
Role-based access control (RBAC) with Intune has more information.
Create a user group or devices group with your HoloLens 2 devices. For more information, see User groups vs. device groups.
This example uses Windows PowerShell to create a Windows Defender Application Control (WDAC) policy. The policy prevents specific apps from opening. Then, use Intune to deploy the policy to HoloLens 2 devices.
On your desktop computer, open the Windows PowerShell app.
Get information about the installed application package on your desktop computer and HoloLens:
$package1 = Get-AppxPackage -name *<applicationname>*
For example, enter:
$package1 = Get-AppxPackage -name Microsoft.MicrosoftEdge
Next, confirm the package has application attributes:
You'll see attributes similar to the following app details:
Name : Microsoft.MicrosoftEdge Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Architecture : Neutral ResourceId : Version : 44.20190.1000.0 PackageFullName : Microsoft.MicrosoftEdge_44.20190.1000.0_neutral__8wekyb3d8bbwe InstallLocation : C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe IsFramework : False PackageFamilyName : Microsoft.MicrosoftEdge_8wekyb3d8bbwe PublisherId : 8wekyb3d8bbwe IsResourcePackage : False IsBundle : False IsDevelopmentMode : False NonRemovable : True IsPartiallyStaged : False SignatureKind : System Status : Ok
Create a WDAC policy, and add the app package to the DENY rule:
$rule = New-CIPolicyRule -Package $package1 -Deny
Repeat steps 2 and 3 for any other applications you want to DENY:
$rule += New-CIPolicyRule -Package $package<2..n> -Deny
For example, enter:
$package2 = Get-AppxPackage -name *windowsstore* $rule += New-CIPolicyRule -Package $package<2..n> -Deny
Convert the WDAC policy to newPolicy.xml:
You can block apps that are only installed on HoloLens devices. For more information, see package family names for apps on HoloLens.
New-CIPolicy -rules $rule -f .\newPolicy.xml -UserPEs
To target all versions of an app, in newPolicy.xml, be sure
PackageVersion="65535.65535.65535.65535"is in Deny node:
<Deny ID="ID_DENY_D_1" FriendlyName="Microsoft.WindowsStore_8wekyb3d8bbwe FileRule" PackageFamilyName="Microsoft.WindowsStore_8wekyb3d8bbwe" PackageVersion="65535.65535.65535.65535" />
PackageFamilyNameRules, you can use the following versions:
- Allow: Enter
PackageVersion, 0.0.0.0, which means "Allow this version and above".
- Deny: Enter
PackageVersion, 65535.65535.65535.65535, which means "Deny this version and below".
- Allow: Enter
Merge newPolicy.xml with the default policy that's on your desktop computer. This step creates mergedPolicy.xml. For example, allow the Windows, WHQL signed drivers, and Store signed apps to run:
Merge-CIPolicy -PolicyPaths .\newPolicy.xml,C:\Windows\Schemas\codeintegrity\examplepolicies\DefaultWindows_Audit.xml -o mergedPolicy.xml
Disable the Audit mode rule in mergedPolicy.xml. When you merge, audit mode is automatically turned on:
Set-RuleOption -o 3 -Delete .\mergedPolicy.xml
Enable the InvalidateEAs on a reboot rule in mergedPolicy.xml:
Set-RuleOption -o 15 .\mergedPolicy.xml
For more information on these rules, see Understand WDAC policy rules and file rules.
Convert mergedPolicy.xml to binary format. This step creates compiledPolicy.bin. You'll add this compiledPolicy.bin binary file to Intune.
ConvertFrom-CIPolicy .\mergedPolicy.xml .\compiledPolicy.bin
Create the custom device configuration profile in Intune:
In the Microsoft Endpoint Manager admin center, create a Windows 10 custom device configuration profile.
For the specific steps, see Create a custom profile using OMA-URI in Intune.
When you create the profile, enter the following settings:
<PolicyGUID>with the PolicyTypeID node in the mergedPolicy.xml file you created in step 6.
Using our example, enter
The policy GUID must match the PolicyTypeID node in the mergedPolicy.xml file (created in step 6).
Data type: Set to Base64 file. It automatically converts the file from bin to base64.
Certificate file: Upload the compiledPolicy.bin binary file (created in step 9).
Your settings look similar to the following settings:
When the profile is assigned to your HoloLens 2 group, check the profile status. After the profile successfully applies, reboot the HoloLens 2 devices.