AppLocker 云解决方案提供商

下表显示了Windows的适用性:

版次 Windows 10 Windows 11
Home 键
专业版
商用版
企业
教育

AppLocker 配置服务提供程序用于指定允许或禁止哪些应用程序。 对于被阻止的应用,没有显示任何用户界面。

以下示例演示树格式的 AppLocker 配置服务提供程序。

./Vendor/MSFT
AppLocker
----ApplicationLaunchRestrictions
--------Grouping
------------EXE
----------------Policy
----------------EnforcementMode
----------------NonInteractiveProcessEnforcement
------------MSI
----------------Policy
----------------EnforcementMode
------------Script
----------------Policy
----------------EnforcementMode
------------StoreApps
----------------Policy
----------------EnforcementMode
------------DLL
----------------Policy
----------------EnforcementMode
----------------NonInteractiveProcessEnforcement
------------CodeIntegrity
----------------Policy
----EnterpriseDataProtection
--------Grouping
------------EXE
----------------Policy
------------StoreApps
----------------Policy
----LaunchControl
--------Grouping
------------EXE
----------------Policy
----------------EnforcementMode
------------StoreApps
----------------Policy
----------------EnforcementMode
----FamilySafety
--------Grouping
------------EXE
----------------Policy
----------------EnforcementMode
------------StoreApps
----------------Policy
----------------EnforcementMode

./Vendor/MSFT/AppLocker
定义 AppLocker 配置服务提供程序的根节点。

AppLocker/ApplicationLaunchRestrictions
定义应用程序的限制。

备注

创建允许的应用列表时,所有 收件箱应用 也会被阻止,并且必须将其包含在允许的应用列表中。 请勿忘记为电话、消息传送、设置、"开始"菜单、电子邮件和帐户、工作和学校以及所需的其他应用添加收件箱应用。

除非分组值在注册中是唯一的,否则无法正确支持删除/取消注册。 如果多个注册使用相同的分组值,则取消注册将无法按预期工作,因为资源管理器会删除重复的 URI。 若要防止此问题,分组值应包含一些随机性。 最佳做法是使用随机生成的 GUID。 但是,对节点的确切值没有要求。

备注

应用策略或使用 AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI 进行删除时,AppLocker 云解决方案提供商将计划重新启动。

AppLocker/ApplicationLaunchRestrictions/Grouping
分组节点是动态节点,对于给定注册 (或给定上下文) ,可能存在任意数量的节点。 实际标识符由管理终结点选择,其作业是确定其用途,而不是与其定义的其他标识符冲突。 不同的注册和上下文可能使用相同的颁发机构标识符,即使许多此类标识符同时处于活动状态。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/EXE
定义启动可执行应用程序的限制。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/EXE/Policy
策略节点定义用于启动可执行文件、Windows安装程序文件、脚本、存储应用和 DLL 文件的策略。 给定策略节点的内容恰恰是相应 AppLocker XML 策略中 RuleCollection 节点的 XML 格式。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/EXE/EnforcementMode
Windows 信息保护 (的 EnforcementMode 节点以前称为Enterprise数据保护) 不会影响 EnterpriseDataProtection 的行为。 策略云解决方案提供商中的 EDPEnforcementLevel 应用于启用和禁用以前称为Enterprise数据保护) 的Windows 信息保护 (。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/EXE/NonInteractiveProcessEnforcement
数据类型为字符串。

支持的操作包括 Add、Delete、Get 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/MSI
定义执行Windows安装程序文件的限制。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/MSI/Policy
策略节点定义用于启动可执行文件、Windows安装程序文件、脚本、存储应用和 DLL 文件的策略。 给定策略节点的内容恰恰是相应 AppLocker XML 策略中 RuleCollection 节点的 XML 格式。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/MSI/EnforcementMode
Windows 信息保护 (的 EnforcementMode 节点以前称为Enterprise数据保护) 不会影响 EnterpriseDataProtection 的行为。 策略云解决方案提供商中的 EDPEnforcementLevel 应用于启用和禁用以前称为Enterprise数据保护) 的Windows 信息保护 (。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/Script
定义运行脚本的限制。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/Script/Policy
策略节点定义用于启动可执行文件、Windows安装程序文件、脚本、存储应用和 DLL 文件的策略。 给定策略节点的内容恰恰是相应 AppLocker XML 策略中 RuleCollection 节点的 XML 格式。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/Script/EnforcementMode
Windows 信息保护 (的 EnforcementMode 节点以前称为Enterprise数据保护) 不会影响 EnterpriseDataProtection 的行为。 策略云解决方案提供商中的 EDPEnforcementLevel 应用于启用和禁用以前称为Enterprise数据保护) 的Windows 信息保护 (。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/StoreApps
定义从Microsoft Store运行应用的限制。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/StoreApps/Policy
策略节点定义用于启动可执行文件、Windows安装程序文件、脚本、存储应用和 DLL 文件的策略。 给定策略节点的内容恰恰是相应 AppLocker XML 策略中 RuleCollection 节点的 XML 格式。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/StoreApps/EnforcementMode
Windows 信息保护 (的 EnforcementMode 节点以前称为Enterprise数据保护) 不会影响 EnterpriseDataProtection 的行为。 策略云解决方案提供商中的 EDPEnforcementLevel 应用于启用和禁用以前称为Enterprise数据保护) 的Windows 信息保护 (。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/DLL
定义处理 DLL 文件的限制。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/DLL/Policy
策略节点定义用于启动可执行文件、Windows安装程序文件、脚本、存储应用和 DLL 文件的策略。 给定策略节点的内容恰恰是相应 AppLocker XML 策略中 RuleCollection 节点的 XML 格式。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/DLL/EnforcementMode
Windows 信息保护 (的 EnforcementMode 节点以前称为Enterprise数据保护) 不会影响 EnterpriseDataProtection 的行为。 策略云解决方案提供商中的 EDPEnforcementLevel 应用于启用和禁用以前称为Enterprise数据保护) 的Windows 信息保护 (。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/DLL/NonInteractiveProcessEnforcement
数据类型为字符串。

支持的操作包括 Add、Delete、Get 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity
此节点仅在桌面上受支持。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy
策略节点定义用于启动可执行文件、Windows安装程序文件、脚本、存储应用和 DLL 文件的策略。 给定策略节点的内容恰恰是相应 AppLocker XML 策略中 RuleCollection 节点的 XML 格式。

数据类型为 Base64。

支持的操作包括 Get、Add、Delete 和 Replace。

备注

若要使用代码完整性策略,首先需要使用 ConvertFrom-CIPolicy cmdlet 将策略转换为二进制格式。 然后,应创建二进制策略表示形式的 Base64 编码 Blob (例如,使用 certutil -encode 命令行工具) 并将其添加到 Applocker-云解决方案提供商。

AppLocker/EnterpriseDataProtection
捕获允许处理企业数据的应用列表。 应与 EnterpriseDataProtection 云解决方案提供商中的 ./Device/Vendor/MSFT/EnterpriseDataProtection 中的设置一起使用。

在Windows 10版本 1607 中,Windows 信息保护具有允许和豁免应用程序的概念。 允许的应用程序可以访问企业数据,并且这些应用程序处理的数据受加密保护。 豁免应用程序还可以访问企业数据,但这些应用程序处理的数据不受保护。 这是因为某些关键企业应用程序可能与加密数据存在兼容性问题。

可以使用以下 URI 设置允许的列表:

  • ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Grouping/EXE/Policy
  • ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Grouping/StoreApps/Policy

可以使用以下 URI 设置豁免列表。 _分组_字符串必须在任意位置包含关键字“EdpExempt”,以帮助将豁免列表与允许的列表区分开来。 还以不区分大小写的方式评估“EdpExempt”关键字:

  • ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Grouping 包括“EdpExempt”/EXE/Policy
  • ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Grouping 包括“EdpExempt”/StoreApps/Policy

豁免示例:

  • ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/ContosoEdpExempt/EXE/Policy
  • ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/xxxxxEdpExemptxxxxx/EXE/Policy

其他信息:

  • 建议的Windows 信息保护阻止列表 - 例如Windows 10版本 1607,该版本拒绝将已知未开明的 Microsoft 应用作为允许的应用访问企业数据。 此防护可确保管理员不会意外地允许这些应用Windows 信息保护,并避免与这些应用程序的自动文件加密相关的已知兼容性问题。

AppLocker/EnterpriseDataProtection/Grouping
分组节点是动态节点,对于给定注册 (或给定上下文) ,可能存在任意数量的节点。 实际标识符由管理终结点选择,其作业是确定其用途,而不是与其定义的其他标识符冲突。 不同的注册和上下文可能使用相同的颁发机构标识符,即使许多此类标识符同时处于活动状态。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/EnterpriseDataProtection/Grouping/EXE
定义启动可执行应用程序的限制。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/EnterpriseDataProtection/Grouping/EXE/Policy
策略节点定义用于启动可执行文件、Windows安装程序文件、脚本、存储应用和 DLL 文件的策略。 给定策略节点的内容恰恰是相应 AppLocker XML 策略中 RuleCollection 节点的 XML 格式。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/EnterpriseDataProtection/Grouping/StoreApps
定义从Microsoft Store运行应用的限制。

支持的操作包括 Get、Add、Delete 和 Replace。

AppLocker/EnterpriseDataProtection/Grouping/StoreApps/Policy
策略节点定义用于启动可执行文件、Windows安装程序文件、脚本、存储应用和 DLL 文件的策略。 给定策略节点的内容恰恰是相应 AppLocker XML 策略中 RuleCollection 节点的 XML 格式。

数据类型为字符串。

支持的操作包括 Get、Add、Delete 和 Replace。

  1. “设备发现” 下的手机上,点击 “配对”。 你将获得一个代码 (区分大小写的) 。

  2. “设置访问”页上的浏览器上,在文本框中输入区分大小写) (代码,然后单击“ 提交”。

    设备门户 ”页将在浏览器上打开。

    设备门户屏幕截图。

  3. 在桌面 设备门户 页上,单击 “应用 ”打开 应用管理器

  4. “正在运行的应用”下的 “应用管理器”页上,你将看到应用的PublisherPackageFullName

    设备门户应用管理器。

  5. 如果看不到所需的应用,请在 “已安装的应用”下查看。 使用下拉菜单,单击应用程序,并显示版本、Publisher和 PackageFullName。

    应用管理器。

下表显示了信息到 AppLocker 发布者规则字段的映射。

设备门户数据 AppLocker 发布者规则字段
PackageFullName ProductName:产品名称是 PackageFullName 的第一部分,后跟版本号。 在Windows 相机示例中,ProductName 为 Microsoft.WindowsCamera。
发布者 发布者
版本 版本

可以在 BinaryVersionRange 的 HighSection 或 LowSection 中使用该版本。

HighSection 定义最高版本号,LowSection 定义应受信任的最低版本号。 可以使用这两个版本的通配符来创建独立于版本的规则。 对其中一个值使用通配符将提供高于或低于特定版本语义。

下面是一个示例 AppLocker 发布者规则:

<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*">
  <BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>

可以使用 Web API 获取应用的发布者名称和产品名称。

若要在适用于企业的 Microsoft Store中查找 Microsoft 应用的发布者和产品名称:

  1. 转到适用于企业的 Microsoft Store 网站,然后查找你的应用。 例如,Microsoft OneNote。

  2. 从应用 URL 中复制 ID 值。 例如,Microsoft OneNote的 ID URL 是https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl,你将复制 ID 值:9wzdncrfhvjl

  3. 在浏览器中,运行 Microsoft Store for Business 门户 Web API,返回包含发布者和产品名称值的 JSON) 文件 (JavaScript 对象表示法。

请求 URI:

https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata

下面是Microsoft OneNote示例:

请求

https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata

结果

{
  "packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe",
  "packageIdentityName": "Microsoft.Office.OneNote",
  "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
  "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
结果数据 AppLocker 发布者规则字段
packageIdentityName ProductName
publisherCertificateName 发布者
windowsPhoneLegacyId 相同的值映射到 ProductName 和Publisher名称。

仅当Microsoft Store中存在与应用关联的 XAP 包时,才会显示此值。

如果填充此值,那么覆盖 AppX 和 XAP 包的简单做法是为应用创建两个规则。 一个使用 packageIdentityName 和 publisherCertificateName 值的 AppX 规则,另一个规则使用 windowsPhoneLegacyId 值。

设置依赖于初始应用的应用

除非已将这些应用显式添加到允许的应用列表,否则这些应用将被阻止。 下表显示了依赖于初始应用的设置应用的子集。

产品名称是 PackageFullName 的第一部分,后跟版本号。

设置应用名称 PackageFullName 或产品名称 ProductID
工作或学校帐户 Microsoft.AAD.BrokerPlugin e5f8b2c4-75ae-45ee-9be8-212e34f77747
电子邮件和帐户 Microsoft.AccountsControl 39cf127b-8c67-c149-539a-c02271d07060
SettingsPageKeyboard 5b04b775-356b-4aa0-aaf8-6491ffea5608_1.1.0.0_neutral__cw8ffb7c56vgc 5b04b775-356b-4aa0-aaf8-6491ffea5608
SettingsPageTimeRegion 5b04b775-356b-4aa0-aaf8-6491ffea560c_1.0.0.0_neutral__gqhq4qhgje4fw 5b04b775-356b-4aa0-aaf8-6491ffea560c
SettingsPagePCSystemBluetooth 5b04b775-356b-4aa0-aaf8-6491ffea5620_1.0.0.0_neutral__nvaj48k0z8te8 5b04b775-356b-4aa0-aaf8-6491ffea5620
SettingsPageNetworkAirplaneMode 5b04b775-356b-4aa0-aaf8-6491ffea5621_1.0.0.0_neutral__f73kmnfsk0aj2 5b04b775-356b-4aa0-aaf8-6491ffea5621
SettingsPageNetworkWiFi 5b04b775-356b-4aa0-aaf8-6491ffea5623_1.0.0.0_neutral__a3jhh70a240gm 5b04b775-356b-4aa0-aaf8-6491ffea5623
SettingsPageNetworkInternetSharing 5b04b775-356b-4aa0-aaf8-6491ffea5629_1.0.0.0_neutral__yqcw9dmx6t3pe 5b04b775-356b-4aa0-aaf8-6491ffea5629
SettingsPageAccountsWorkplace 5b04b775-356b-4aa0-aaf8-6491ffea562a_1.0.0.0_neutral__q1wjbr14bc3d0 5b04b775-356b-4aa0-aaf8-6491ffea562a
SettingsPageRestoreUpdate 5b04b775-356b-4aa0-aaf8-6491ffea5640_1.0.0.0_neutral__j77gbj5kz730y 5b04b775-356b-4aa0-aaf8-6491ffea5640
SettingsPageKidsCorner 5b04b775-356b-4aa0-aaf8-6491ffea5802_1.0.0.0_neutral__1wmss2z3sft8c 5b04b775-356b-4aa0-aaf8-6491ffea5802
SettingsPageDrivingMode 5b04b775-356b-4aa0-aaf8-6491ffea5804_1.0.0.0_neutral__t553967svy34g 5b04b775-356b-4aa0-aaf8-6491ffea5804
SettingsPageTimeLanguage 5b04b775-356b-4aa0-aaf8-6491ffea5808_1.0.0.0_neutral__ecxasj38g8ynw 5b04b775-356b-4aa0-aaf8-6491ffea5808
SettingsPageAppsCorner 5b04b775-356b-4aa0-aaf8-6491ffea580a_1.0.0.0_neutral__4vefaa8deck74 5b04b775-356b-4aa0-aaf8-6491ffea580a
SettingsPagePhoneNfc b0894dfd-4671-4bb9-bc17-a8b39947ffb6_1.0.0.0_neutral__1prqnbg33c1tj b0894dfd-4671-4bb9-bc17-a8b39947ffb6

收件箱应用和组件

以下列表显示可能包含在收件箱中的应用。

备注

此列表标识作为可添加到 AppLocker 策略的Windows的一部分,以确保操作系统正常运行的系统应用。 如果决定阻止其中一些应用,建议在部署到生产环境之前进行彻底测试。 如果失败,可能会导致意外故障,并会显著降低用户体验。

应用 产品 ID 产品名称
3D 查看器 f41647c9-d567-4378-b2ab-7924e5a152f3 Microsoft.Microsoft3DViewer (已添加到 Windows 10 版本 1703)
高级信息 b6e3e590-9fa5-40c0-86ac-ef475de98e88 b6e3e590-9fa5-40c0-86ac-ef475de98e88
年老工人 09296e27-c9f3-4ab9-aa76-ecc4497d94bb
闹钟和时钟 44f7d2b4-553d-4bec-a8b7-634ce897ed5f Microsoft.WindowsAlarms
应用下载 20bf77a0-19c7-4daa-8db5-bc3dfdfa44ac
分配的访问锁定应用 b84f4722-313e-4f85-8f41-cf5417c9c5cb
必应锁定映像 5f28c179-2780-41df-b966-27807b8de02c
阻止和筛选 59553c14-5701-49a2-9909-264d034deb3d
代理插件 (与工作或学校帐户) 相同 Microsoft.AAD.BrokerPlugin
计算器 b58171c6-c70c-4266-a2e8-8f9c994f4456 Microsoft.WindowsCalculator
相机 f0d8fefd-31cd-43a1-a45a-d0276db069f1 Microsoft.WindowsCamera
CertInstaller 4c4ad968-7100-49de-8cd1-402e198d869e
颜色配置文件 b08997ca-60ab-4dce-b088-f92e9c7994f3
连接 af7d2801-56c0-4eb1-824b-dd91cdf7ece5 Microsoft.DevicesFlow
联系支持人员 0db5fcff-4544-458a-b320-e352dfd9ca2b Windows.ContactSupport
Cortana fd68dcf4-166f-4c55-a4ca-348020f71b94 Microsoft.Windows.Cortana
Cortana侦听 UI CortanaListenUI
凭据对话框主机 Microsoft.CredDialogHost
设备门户 PIN UX holopairingapp
电子邮件和帐户 39cf127b-8c67-c149-539a-c02271d07060 Microsoft.AccountsControl
Enterprise安装应用 da52fa01-ac0f-479d-957f-bfe4595941cb
均衡 373cb76e-7f6c-45aa-8633-b00e85c73261
Excel ead3e7c0-fae6-4603-8699-6a448138f4dc 微软。Office。Excel
Facebook 82a23635-5bd9-df11-a844-00237de2db9e Microsoft.MSFacebook
Field Medic 73c58570-d5a7-46f8-b1b2-2a90024fc29c
文件资源管理器 c5e2524a-ea46-4f67-841f-6a9465d9d515 c5e2524a-ea46-4f67-841f-6a9465d9d515
调频广播 f725010e-455d-4c09-ac48-bcdef0d4b626 f725010e-455d-4c09-ac48-bcdef0d4b626
入门 b3726308-3d74-4a14-a84c-867c8c735c3c Microsoft.Getstarted
概览 106e0a97-8b19-42cf-8879-a8ed2598fcbb
Groove 音乐 d2b6a184-da39-4c9a-9e0a-8b589b03dec0 Microsoft.ZuneMusic
Hands-Free激活 df6c9621-e873-4e86-bb56-93e9f21b1d6f
Hands-Free激活 72803bd5-4f36-41a4-a349-e83e027c4722
HAP 更新后台辅助角色 73c73cdd-4dea-462c-bd83-fa983056a4ef
全息 Shell HoloShell
Lumia 运动数据 8fc25fd2-4e2e-4873-be44-20e57f6ec52b
地图 ed27a07e-af57-416b-bc0c-2596b622ef7d Microsoft.WindowsMaps
消息 27e26f40-e031-48a6-b130-d1f20388991a Microsoft.Messaging
Microsoft 帐户 3a4fae89-7b7e-44b4-867b-f7e2772b8253 Microsoft.CloudExperienceHost
Microsoft Edge 395589fb-5884-4709-b9df-f7d558663ffd Microsoft.MicrosoftEdge
Microsoft Frameworks ProductID = 00000000-0000-0000-00000-000000000000 PublisherName=“CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US”
迁移 UI MigrationUIApp
MiracastView 906beeda-b7e6-4ddc-ba8d-ad5031223ef9 906beeda-b7e6-4ddc-ba8d-ad5031223ef9
混合现实门户 微软。Windows。HolographicFirstRun
财经 1e0440f1-7abf-4b9a-863d-177970eefb5e Microsoft.BingFinance
电影和电视 6affe59e-0467-4701-851f-7ac026e21665 Microsoft.ZuneVideo
音乐下载 3da8a0c1-f7e5-47c0-a680-be8fd013f747
导航栏 2cd23676-8f68-4d07-8dd2-e693d4b01279
网络服务 62f172d1-f552-4749-871c-2afd1c95c245
新闻 9c3e8cad-6702-4842-8f61-b8b33cc9caf1 Microsoft.BingNews
OneDrive ad543082-80ec-45bb-aa02-ffe7f4182ba8 Microsoft.MicrosoftSkydrive
OneNote ca05b3ab-f157-450c-8c49-a1f127f5e71d Microsoft.Office.OneNote
Outlook 日历和邮件 a558feba-85d7-4665-b5d8-a2ff9c19799b Microsoft.WindowsCommunicationsApps
人脉 60be1fb8-3291-4b21-bd39-2221ab166481 Microsoft.People
电话 5b04b775-356b-4aa0-aaf8-6491ffea5611 5b04b775-356b-4aa0-aaf8-6491ffea5611
电话(拨号程序) f41b5d0e-ee94-4f47-9cfe-3d3934c5a2c7 Microsoft.CommsPhone
电话重置对话框 2864278d-09b5-46f7-b502-1c24139ecbdd
照片 fca55e1b-b9a4-4289-882f-084ef4145005 Microsoft.Windows.Photos
播客 c3215724-b279-4206-8c3e-61d1a9d63ed3 Microsoft.MSPodcast
播客下载 063773e7-f26f-4a92-81f0-aa71a1161e30
PowerPoint b50483c4-8046-4e1b-81ba-590b24935798 微软。Office。PowerPoint
PrintDialog 0d32eeb1-32f0-40da-8558-cea6fcbec4a4 Microsoft.PrintDialog
“购买”对话框 c60e79ca-063b-4e5d-9177-1309357b2c3f
对设备进行评分 aec3bfad-e38c-4994-9c32-50bd030730ec
RingtoneApp.WindowsPhone 3e962450-486b-406b-abb5-d38b4ee7e6fe Microsoft.Tonepicker
保存铃声 d8cf8ec7-ec6d-4892-aab9-1e3a4b5fa24b
“设置” 2a4e62d8-8809-4787-89f8-69d0f01654fb 2a4e62d8-8809-4787-89f8-69d0f01654fb
“设置” SystemSettings
安装向导 07d87655-e4f0-474b-895a-773790ad4a32
共享 b0894dfd-4671-4bb9-bc17-a8b39947ffb6
登录Windows 10 全息版 WebAuthBridgeInternetSso、WebAuthBridgeInternet、WebAuthBridgeIntranetSso、WebAuthBrokerInternetSso、WebAuthBrokerInternetSso、WebAuthBrokerInternetSso、WebAuthBrokerInternet、WebAuthBrokerIntranetSso、SignIn
Skype c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51 Microsoft.SkypeApp
Skype 视频 27e26f40-e031-48a6-b130-d1f20388991a Microsoft.Messaging
体育 0f4c8c7e-7114-4e1e-a84c-50664db13b17 Microsoft.BingSports
SSMHost e232aa77-2b6d-442c-b0c3-f3bb9788af2a
“开始”菜单 5b04b775-356b-4aa0-aaf8-6491ffea5602 5b04b775-356b-4aa0-aaf8-6491ffea5602
存储 5b04b775-356b-4aa0-aaf8-6491ffea564d 5b04b775-356b-4aa0-aaf8-6491ffea564d
应用商店 7d47d89a-7900-47c5-93f2-46eb6d94c159 Microsoft.WindowsStore
触摸 (手势和触摸) bbc57c87-46af-4c2c-824e-ac8104cceb38
语音录音机 7311b9c5-a4e9-4c74-bc3c-55b06ba95ad0 Microsoft.WindowsSoundRecorder
电子钱包 587a4577-7868-4745-a29e-f996203f1462 Microsoft.MicrosoftWallet
电子钱包 12ae577e-f8d1-4197-a207-4d24c309ff8f Microsoft.Wallet
天气 63c2a117-8604-44e7-8cef-df10be3a57c8 Microsoft.BingWeather
Windows默认锁定屏幕 cdd63e31-9307-4ccb-ab62-1ffa5721b503
Windows 反馈 7604089d-d13f-4a2d-9998-33fc02b63ce3 Microsoft.WindowsFeedback
文字 258f115c-48f4-4adb-9a68-1387e634459b 微软。Office。词
工作或学校帐户 e5f8b2c4-75ae-45ee-9be8-212e34f77747 Microsoft.AAD.BrokerPlugin
Xbox b806836f-eebe-41c9-8669-19e243b81b83 Microsoft.XboxApp
Xbox 标识提供者 ba88225b-059a-45a2-a8eb-d3580283e49d Microsoft.XboxIdentityProvider

Allowlist 示例

以下示例禁用日历应用程序。

<SyncML xmlns="SYNCML:SYNCML1.2">
    <SyncBody>
        <Add>
            <CmdID>$CmdID$</CmdID>
            <Item>
                <Target>
                    <LocURI>./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                    <Type xmlns="syncml:metinf">text/plain</Type>
                </Meta>
                <Data><AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"><Deny><App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}"/></Deny></AppPolicy>
                </Data>
            </Item>
        </Add>
        <Final/>
    </SyncBody>
</SyncML>

以下示例阻止地图应用程序的使用。

<SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Add>
      <CmdID>$CmdID$</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/AppLockerPhoneGroup0/StoreApps/Policy</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
        </Meta>
        <Data>
            <RuleCollection Type="Appx" EnforcementMode="Enabled">
                <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed Appx packages" Description="Allows members of the Everyone group to run Appx packages that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
                    <Conditions>
                    <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
                    <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
                    </FilePublisherCondition>
                    </Conditions>
                </FilePublisherRule>

                <FilePublisherRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Deny Splash appmaps" Description="Deny members of the local Administrators group to run maps." UserOrGroupSid="S-1-1-0" Action="Deny">
                  <Conditions>
                    <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" />
                  </Conditions>
                </FilePublisherRule>

            </RuleCollection>
        </Data>
      </Item>
    </Add>
   <Final/>
  </SyncBody>
</SyncML>

以下示例禁用混合现实门户。 在该示例中, ID 可以是任何生成的 GUID, 名称 可以是你选择的任何名称。 BinaryName="*" 允许阻止混合现实门户包中的任何应用可执行文件。 本示例中所示的 Binary/VersionRange 将阻止所有版本的混合现实门户应用。

<SyncML xmlns="SYNCML:SYNCML1.2">
    <SyncBody>
        <Add>
            <CmdID>$CmdID$</CmdID>
            <Item>
                <Target>
                    <LocURI>./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                    <Type xmlns="syncml:metinf">text/plain</Type>
                </Meta>
                <Data>
                  <RuleCollection Type="Appx" EnforcementMode="Enabled">
                   <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
                    <Conditions>
                      <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
                        <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
                      </FilePublisherCondition>
                    </Conditions>
                  </FilePublisherRule>
                  <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
                   <Conditions>
                     <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*">
                      <BinaryVersionRange LowSection="*" HighSection="*" />
                      </FilePublisherCondition>
                    </Conditions>
                  </FilePublisherRule>
                 </RuleCollection>>
                </Data>
            </Item>
        </Add>
        <Final/>
    </SyncBody>
</SyncML>

在此示例 中,MobileGroup0 是节点名称。 建议为此节点使用 GUID。

<?xml version="1.0" encoding="utf-8"?>
<SyncML>
  <SyncBody>
    <Add>
      <CmdID>1</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MobileGroup0</LocURI>
        </Target>
      </Item>
    </Add>
    <Add>
      <CmdID>2</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MobileGroup0/StoreApps</LocURI>
        </Target>
      </Item>
    </Add>
    <Replace>
      <CmdID>3</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MobileGroup0/StoreApps/Policy</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
        </Meta>
        <Data>
<RuleCollection Type="Appx" EnforcementMode="Enabled">

    <FilePublisherRule Id="172B8ACE-AAF5-41FA-941A-93AEE126B4A9" Name="Default Rule to Deny ALL" Description="Deny all publisher" UserOrGroupSid="S-1-1-0" Action="Deny">
        <Conditions>
            <FilePublisherCondition PublisherName="CN=*" ProductName="*" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="DDCD112F-E003-4874-8B3E-14CB23851D54" Name="Allowlist Settings splash app" Description="Allow Admins to run Settings." UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="2A4E62D8-8809-4787-89F8-69D0F01654FB" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="757D94A8-C752-4013-9896-D46EF10925E9" Name="Allowlist Settings WorkOrSchool" Description="Allow Admins to run WorkOrSchool" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA562A" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="473BCE1A-94D2-4AE1-8CB1-064B0677CACB" Name="Allowlist WorkPlace AAD BrokerPlugin" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.AAD.BrokerPlugin" BinaryName="*" >
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="E13EA64B-B0D3-4257-87F4-1B522D06EA03" Name="Allowlist Start" Description="Allow Admins to run Start." UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5602" BinaryName="*" >
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="2898C4B2-4B37-4BFF-8F7B-16B377EDEA88" Name="Allowlist SettingsPageKeyboard" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5608" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="15BBA04F-3989-4FF7-9FEF-83C4DFDABA27" Name="Allowlist SettingsPageTimeRegion" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea560c" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="C3735CB1-060D-4D40-9708-6D33B98A7A2D" Name="Allowlist SettingsPagePCSystemBluetooth" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5620" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="AFACF5A3-2974-41EE-A31A-1486F593C145" Name="Allowlist SettingsPageNetworkAirplaneMode" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5621" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="7B02A339-9E77-4694-AF86-119265138129" Name="Allowlist SettingsPageNetworkWiFi" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5623" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="F912172F-9D83-46F5-8D6C-BA7AB17063BE" Name="Allowlist SettingsPageNetworkInternetSharing" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5629" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="67AE8001-4E49-442A-AD72-F837129ABF63" Name="Allowlist SettingsPageRestoreUpdate" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5640" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="7B65BCB2-4B1D-42B6-921B-B87F1474BDC5" Name="Allowlist SettingsPageKidsCorner" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5802" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="3964A53B-E131-4ED6-88DA-71FBDBE4E232" Name="Allowlist SettingsPageDrivingMode" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5804" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="99C4CD58-51A2-429A-B479-976ADB4EA757" Name="Allowlist SettingsPageTimeLanguage" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5808" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="EBA3BCBE-4651-48CE-8F94-C5AC5D8F72FB" Name="Allowlist SettingsPageAppsCorner" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea580a" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="E16EABCC-46E7-4AB3-9F48-67FFF941BBDC" Name="Allowlist SettingsPagePhoneNfc" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="*" ProductName="b0894dfd-4671-4bb9-bc17-a8b39947ffb6" BinaryName="*">
                <BinaryVersionRange LowSection="*" HighSection="*"/>
            </FilePublisherCondition>
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="1F4C3904-9976-4FEE-A492-5708F14EABA5" Name="Allowlist MSA Cloud Experience Host" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.CloudExperienceHost" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="AA741A28-7C02-49A5-AA5C-35D53FB8A9DC" Name="Allowlist Email and Accounts" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.AccountsControl" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="863BE063-D134-4C5C-9825-9DF9A86B6B56" Name="Allowlist Calculator" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsCalculator" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="1DA2F479-3D1D-4425-9FFA-D4E6908F945A" Name="Allowlist Alarms and  Clock" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsAlarms" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="18E12372-21C6-4DA5-970E-0A58739D7151" Name="Allowlist People" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.People" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="FD686D83-A829-4351-8FF4-27C7DE5755D2" Name="Allowlist Camera" Description="Allow Admins to run camera." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsCamera" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="16875F70-1778-43CC-96BB-783C9A8E53D5" Name="Allowlist WindowsMaps" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="D21D6F9D-CFF6-4AD1-867A-2411CE6A388D" Name="Allowlist FileExplorer" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="c5e2524a-ea46-4f67-841f-6a9465d9d515" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="450B6D7E-1738-41C9-9241-466C3FA4AB0C" Name="Allowlist FM Radio" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="F725010E-455D-4C09-AC48-BCDEF0D4B626" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="37F4272C-F4A0-4AB8-9B5F-C9194A0EC6F3" Name="Allowlist Microsoft Edge" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftEdge" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="253D3AEA-36C0-4877-B932-9E9C9493F3F3" Name="Allowlist Movies" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ZuneVideo" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="9A73E081-01D1-4BFD-ADF4-5C29AD4031F7" Name="Allowlist Money" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingFinance" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="EE4BF66C-EBF0-4565-982C-922FFDCB2E6D" Name="Allowlist News" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingNews" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="D78E6A9D-10F8-4C23-B620-40B01B60E5EA" Name="Allowlist Onedrive" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="AD543082-80EC-45BB-AA02-FFE7F4182BA8" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="0012F35E-C242-47FF-A573-3DA06AF7E43C" Name="Allowlist Onedrive APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftSkydrive" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="178B0D68-3498-40CE-A0C3-295C6B3DA169" Name="Allowlist OneNote" Description="Allow Admins to run onenote." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.OneNote" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="673914E4-D73A-405D-8DCF-173E36EA6722" Name="Allowlist GetStarted" Description="Allow Admins to run onenote." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Getstarted" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="4546BD28-69B6-4175-A44C-33197D48F658" Name="Allowlist Outlook Calendar" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="7B843572-E1AD-45E6-A1F2-C551C70E4A34" Name="Allowlist Outlook Mail" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="E5A1CD1A-8C23-41E4-AACF-BF82FCE775A5" Name="Allowlist Photos" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="0A194DD1-B25B-4512-8AFC-6F560D0EC205" Name="Allowlist PodCasts" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MSPodcast" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="F5D27860-0238-4D1A-8011-9B8B263C3A33" Name="Allowlist SkypeApp" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="Microsoft.SkypeApp" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="B8BBC965-EC6D-4C16-AC68-C5F0090CB703" Name="Allowlist Store" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="6031E1E7-A659-4B3D-87FB-3CB4C900F9D2" Name="Allowlist Sports" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingSports" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="A6D61B56-7CF7-4E95-953C-3A5913309B4E" Name="Allowlist Wallet" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftWallet" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="A2C44744-0627-4A52-937E-E3EC1ED476E0" Name="Allowlist Weather" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingWeather" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="D79978B4-EFAE-4458-8FE1-0F13B5CE6764" Name="Allowlist Xbox" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.XboxApp" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="395713B9-DD39-4741-8AB3-63D0A0DCA2B0" Name="Allowlist Xbox Identity Provider" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.XboxIdentityProvider" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="7565A8BB-D50B-4237-A9E9-B0997B36BDF9" Name="Allowlist Voice recorder" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsSoundRecorder" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="409A286E-8C3D-48AB-9D7C-3225A48B30C9" Name="Allowlist Word" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.Word" BinaryName="*" />
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="F72A5DA6-CA6A-4E7F-A350-AC9FACAB47DB" Name="Allowlist Excel" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.Excel" BinaryName="*" />
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="169B3498-2A73-4D5C-8AFB-A0DE2908A07D" Name="Allowlist PowerPoint" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.PowerPoint" BinaryName="*" />
        </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="A483B662-3538-4D70-98A7-1312D51A0DB9" Name="Allowlist Contact Support" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Windows.ContactSupport" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="EAB1CEDC-DD8A-4311-9146-27A3C689DEAF" Name="Allowlist Cortana" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Cortana" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="01CD8E68-666B-4DE6-8849-7CE4F0C37CA8" Name="Allowlist Storage" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA564D" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="15D9AD89-58BC-458E-9B96-3A18DA63AC3E" Name="Allowlist Groove Music" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ZuneMusic" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="E2B71B03-D759-4AE2-8526-E1A0CE2801DE" Name="Allowlist Windows Feedback" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsFeedback" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="E7A30489-A20B-44C3-91A8-19D9F61A8B5B" Name="Allowlist Messaging and Messaging Video" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Messaging" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="D2A16D0C-8CC0-4C3A-9FB5-C1DB1B380CED" Name="Allowlist Phone splash" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
    <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5611" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="2A355478-7449-43CB-908A-A378AA59FBB9" Name="Allowlist Phone APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.CommsPhone" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="89441630-7F1C-439B-8FFD-0BEEFF400C9B" Name="Allowlist Connect APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.DevicesFlow" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="E8AF01B5-7039-44F4-8072-6A6CC71EDF2E" Name="Allowlist Miracast APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="906BEEDA-B7E6-4DDC-BA8D-AD5031223EF9" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="DA02425B-0291-4A10-BE7E-B9C7922F4EDF" Name="Allowlist Print Dialog APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.PrintDialog" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="42919A05-347B-4A5F-ACB2-73710A2E6203" Name="Allowlist Block and Filter APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BlockandFilterglobal" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="6F3D8885-C15E-4D7E-8E1F-F2A560C08F9E" Name="Allowlist MSFacebook" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MSFacebook" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

    <FilePublisherRule Id="5168A5C3-5DC9-46C1-87C0-65A9DE1B4D18" Name="Allowlist Advanced Info" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="B6E3E590-9FA5-40C0-86AC-EF475DE98E88" BinaryName="*" />
      </Conditions>
    </FilePublisherRule>

</RuleCollection>
        </Data>
      </Item>
    </Replace>
    <Final/>
  </SyncBody>
</SyncML>

适用于企业的Windows 10 全息版示例

以下适用于企业的Windows 10 全息版示例拒绝所有应用,并允许最小一组收件箱应用启用工作设备,并设置。

<RuleCollection Type="Appx" EnforcementMode="Enabled">
    <FilePublisherRule Id="96B82A15-F841-499a-B674-963DC647762F"
                     Name="Allowlist BackgroundTaskHost"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="*"
          BinaryName="BackgroundTaskHost*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="8D345CB2-AC5B-4b6b-8F0B-DCE3F6FB9259"
                     Name="Allowlist CertInstaller"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="*"
          ProductName="4c4ad968-7100-49de-8cd1-402e198d869e"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="9F07FB38-B952-4f3c-A17A-CE7EC8132987"
                     Name="Allowlist MigrationUI"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="MigrationUIApp"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="1C32E96F-2F44-4317-9D98-2F624147D7AE"
                     Name="Allowlist CredDiagHost"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="Microsoft.CredDialogHost"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="53DCC751-E92A-4d0a-84DF-E6EAC2A7C7CE"
                     Name="Allowlist Settings"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="SystemSettings"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="70D9E233-81F4-4707-B79D-58F9C3A6BFB1"
                     Name="Allowlist HoloShell"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="HoloShell"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="6557A9BC-BA1F-4b7d-90FD-8C620CA81906"
                     Name="Allowlist MSA"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="Microsoft.Windows.CloudExperienceHost"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="81CD98A6-82EC-443f-87F8-039B00DFBE78"
                     Name="Allowlist BrokerPlugin"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="Microsoft.AAD.BrokerPlugin"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="1330E03E-7D43-4e01-9853-40ED8CF62D10"
                     Name="Allowlist SignIn1"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="WebAuthBridgeInternetSso"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="107EC30A-2CEF-4ec1-B556-F7DAA7DF7998"
                     Name="Allowlist SignIn2"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="WebAuthBridgeInternet"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="F806AC17-3E31-4a83-92EB-6A34696478D1"
                     Name="Allowlist SignIn3"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="WebAuthBridgeIntranetSso"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="E8CAF694-2256-4516-BDCC-CDABF218573C"
                     Name="Allowlist SignIn4"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="WebAuthBrokerInternetSso"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="5918428D-B9A8-4810-8FB4-25AE5A25D5A7"
                     Name="Allowlist SignIn5"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="WebAuthBrokerInternet"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="C90D99E3-C3EE-47c5-B181-7E8C54FA66B3"
                     Name="Allowlist SignIn6"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="WebAuthBrokerIntranetSso"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="9CD87A91-FB48-480d-B788-3770A950CD03"
                     Name="Allowlist SignIn7"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="SignIn"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="DCF74448-C287-4195-9072-8F3649AB9305"
                     Name="Allowlist Cortana"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="Microsoft.Windows.Cortana"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="BE4FD0C4-527B-45a3-A5B8-F4EA00584779"
                      Name="Allowlist Cortana ListenUI"
                      Description=""
                      UserOrGroupSid="S-1-1-0"
                      Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="CortanaListenUI"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="336509A7-FFBA-48cb-81BD-8DF9060B3CF8"
                     Name="Allowlist Email and accounts"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="Microsoft.AccountsControl"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="55912F15-0B94-445b-80E1-83BC8F0E8999"
                     Name="Allowlist Device Portal PIN UX"
                     Description=""
                     UserOrGroupSid="S-1-1-0"
                     Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
          ProductName="holopairingapp"
          BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
</RuleCollection>

建议的Windows 信息保护块列表

下面的示例Windows 10版本 1607 拒绝将已知未开明的 Microsoft 应用作为允许的应用访问企业数据。 (管理员仍可能使用豁免规则。) 此防护可确保管理员不会意外地允许这些应用Windows 信息保护,并避免与这些应用程序的自动文件加密相关的已知兼容性问题。

在此示例中,Contoso 是节点名称。 建议为此节点使用 GUID。

<?xml version="1.0" encoding="utf-8"?>
<SyncML>
  <SyncBody>
    <Add>
      <CmdID>1</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Contoso</LocURI>
        </Target>
      </Item>
    </Add>
    <Add>
      <CmdID>2</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Contoso/EXE</LocURI>
        </Target>
      </Item>
    </Add>
    <Replace>
      <CmdID>3</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Contoso/EXE/Policy</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
        </Meta>
        <Data>
<RuleCollection Type="Exe" EnforcementMode="Enabled">
  <FilePublisherRule Id="b005eade-a5ee-4f5a-be45-d08fa557a4b2" Name="MICROSOFT OFFICE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
      <Exceptions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="EXCEL.EXE">
          <BinaryVersionRange LowSection="16.0.10336.20000" HighSection="*" />
        </FilePublisherCondition>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="LYNC.EXE">
          <BinaryVersionRange LowSection="16.0.10336.20000" HighSection="*" />
        </FilePublisherCondition>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="LYNC99.EXE">
          <BinaryVersionRange LowSection="16.0.10336.20000" HighSection="*" />
        </FilePublisherCondition>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="MSOSYNC.EXE">
          <BinaryVersionRange LowSection="16.0.10336.20000" HighSection="*" />
        </FilePublisherCondition>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="OCPUBMGR.EXE">
          <BinaryVersionRange LowSection="16.0.10336.20000" HighSection="*" />
        </FilePublisherCondition>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="POWERPNT.EXE">
          <BinaryVersionRange LowSection="16.0.10336.20000" HighSection="*" />
        </FilePublisherCondition>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="UCMAPI.EXE">
          <BinaryVersionRange LowSection="16.0.10336.20000" HighSection="*" />
        </FilePublisherCondition>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="WINWORD.EXE">
          <BinaryVersionRange LowSection="16.0.10336.20000" HighSection="*" />
        </FilePublisherCondition>
      </Exceptions>    
  </FilePublisherRule>
  <FilePublisherRule Id="de9f3461-6856-405d-9624-a80ca701f6cb" Name="MICROSOFT OFFICE 2003, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2003" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="ade1b828-7055-47fc-99bc-432cf7d1209e" Name="2007 MICROSOFT OFFICE SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="2007 MICROSOFT OFFICE SYSTEM" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="f6a075b5-a5b5-4654-abd6-731dacb40d95" Name="MICROSOFT OFFICE ONENOTE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE ONENOTE" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="12.0.9999.9999" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="0ec03b2f-e9a4-4743-ae60-6d29886cf6ae" Name="MICROSOFT OFFICE OUTLOOK, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE OUTLOOK" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="12.0.9999.9999" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="7b272efd-4105-4fb7-9d40-bfa597c6792a" Name="MICROSOFT OFFICE 2013, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2013" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="89d8a4d3-f9e3-423a-92ae-86e7333e2662" Name="MICROSOFT ONENOTE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONENOTE" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
    <Exceptions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONENOTE" BinaryName="ONENOTE.EXE">
        <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" />
      </FilePublisherCondition>
    </Exceptions>
  </FilePublisherRule>
  <FilePublisherRule Id="5a2138bd-8042-4ec5-95b4-f990666fbf61" Name="MICROSOFT OUTLOOK, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OUTLOOK" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
    <Exceptions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OUTLOOK" BinaryName="OUTLOOK.EXE">
        <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" />
      </FilePublisherCondition>
    </Exceptions>
  </FilePublisherRule>
  <FilePublisherRule Id="3fc5f9c5-f180-435b-838f-2960106a3860" Name="MICROSOFT ONEDRIVE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONEDRIVE" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
    <Exceptions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONEDRIVE" BinaryName="ONEDRIVE.EXE">
        <BinaryVersionRange LowSection="17.3.6386.0412" HighSection="*" />
      </FilePublisherCondition>
    </Exceptions>
  </FilePublisherRule>
  <FilePublisherRule Id="17d988ef-073e-4d92-b4bf-f477b2ecccb5" Name="MICROSOFT OFFICE 2016, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
    <Exceptions>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="LYNC.EXE">
        <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" />
      </FilePublisherCondition>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="LYNC99.EXE">
        <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" />
      </FilePublisherCondition>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="UCMAPI.EXE">
        <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" />
      </FilePublisherCondition>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="OCPUBMGR.EXE">
        <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" />
      </FilePublisherCondition>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="WINWORD.EXE">
        <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" />
      </FilePublisherCondition>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="EXCEL.EXE">
        <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" />
      </FilePublisherCondition>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="POWERPNT.EXE">
        <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" />
      </FilePublisherCondition>
      <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="MSOSYNC.EXE">
        <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" />
      </FilePublisherCondition>
    </Exceptions>
  </FilePublisherRule>
</RuleCollection>
        </Data>
      </Item>
    </Replace>
    <Final/>
  </SyncBody>
</SyncML>

相关主题

配置服务提供程序参考