Deploy Cloud Agent for Windows on Azure Stack HCI

Azure Stack HCI is a hyper-converged infrastructure solution capable of hosting Windows and Linux platforms. This section illustrates the steps to install Windows Cloud Agent on Azure Stack HCI OS 22H2 and 23H2.

The Azure Stack HCI OS 22H2 and 23H2 supplement package is protected with the Windows Defender Application Control (WDAC). WDAC is a software-based security tool that protects your assets by enforcing restrictions for third-party applications (software signed by entities other than Microsoft). The WDCA is enabled by default and limits the applications and codes that you can run on your assets.

To run the third-party software on Azure Stack HCI platforms, you must install a WDCA supplemental policy provided by the third-party software vendor.

Steps to Install WDCA Supplemental Policy

Perform the following steps when installing Qualys Cloud Agent on your Azure Stack HCI platforms to ensure smooth operations and desired efficiency.

Download Supplemental Policy

Perform the following steps to download and deploy Qualys Supplemental Policy:

Download/copy the following WDCA supplemental policy provided by Qualys on the Azure Stack HCI platforms.

Qualys Supplemental Policy

 
      <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Supplemental Policy">
        <VersionEx>1.0.0</VersionEx>
        <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
        <Rules> 
          <Rule>
            <Option>Enabled:Unsigned System Integrity Policy</Option>
          </Rule>
        </Rules>
        <!-- EKUS -->
        <EKUs/>
        <!-- File Rules -->
        <FileRules/>
        <!-- Signers -->
        <Signers>
          <Signer ID="ID_SIGNER_S_1" Name="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1">
            <CertRoot Type="TBS" Value="65B1D4076A89AE273F57E6EEEDECB3EAE129B4168F76FA7671914CDF461D542255C59D9B85B916AE0CA6FC0FCF7A8E64"/>
            <CertPublisher Value="Qualys, Inc"/>
          </Signer>
          <Signer ID="ID_SIGNER_S_2" Name="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1">
            <CertRoot Type="TBS" Value="65B1D4076A89AE273F57E6EEEDECB3EAE129B4168F76FA7671914CDF461D542255C59D9B85B916AE0CA6FC0FCF7A8E64"/>
            <CertPublisher Value="Qualys, Inc."/>
          </Signer>
        </Signers>
        <!-- Driver Signing Scenarios -->
        <SigningScenarios>
          <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 03-03-2023">
          <ProductSigners/>
        </SigningScenario>
        <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 03-03-2023">
        <ProductSigners>
          <AllowedSigners>
            <AllowedSigner SignerId="ID_SIGNER_S_1"/>
            <AllowedSigner SignerId="ID_SIGNER_S_2"/>
          </AllowedSigners>
        </ProductSigners>
        </SigningScenario>
        </SigningScenarios>
        <UpdatePolicySigners/>
        <CiSigners>
          <CiSigner SignerId="ID_SIGNER_S_1"/>
          <CiSigner SignerId="ID_SIGNER_S_2"/>
        </CiSigners>
        <HvciOptions>0</HvciOptions>
        <Settings>
          <Setting Provider="PolicyInfo" Key="Information" ValueName="Name">
            <Value>
              <String>Qualys-supplemental-policy</String>
            </Value>
          </Setting>
        </Settings>
        <BasePolicyID>{A6368F66-E2C9-4AA2-AB79-8743F6597683}</BasePolicyID>
        <PolicyID>{A1450A3C-FF99-45CB-BD37-4D7417E4E7FA}</PolicyID>
     </SiPolicy>

The SHA256 Hash for the above policy: 5C5A3E042B4FBE505874BD6D396D29B73F2BD331EA5588BA846A78E700324910

Execute the following command to convert the XML policy into the binary format.
ConvertFrom-CIPolicy <XML_file_path>\Qualys-supplemental-policy.xml <output_path>\Qualys-supplemental-policy.bin

Where,
<XML_file_path> = The path of Qualys supplemental Policy XML file on you system.
<output_path>= The output path for Qualys supplemental Policy in binary format

Deploy Supplemental Policy

Prerequisites for Deploying the Supplemental Policy

The supplemental policy must follow the standard nomenclature practice. The supplemental policy must be named in the following format:
{policyID}.cip

You can find the policy ID in the supplemental policy XML file. For the above Qualys Supplemental Policy, the policy ID is A1450A3C-FF99-45CB-BD37-4D7417E4E7FA.

In this case, the binary file name will be: {A1450A3C-FF99-45CB-BD37-4D7417E4E7FA}.cip
You must store the supplemental policy file at: C:\Windows\System32\CodeIntegrity\CiPolicies\Active

Command to Deploy Binary Policy File

Use the following command to deploy the supplemental policy on targeted assets:

Copy-Item -Path <binary_file_path>\Qualys-supplemental-policy.bin -Destination "C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{A1450A3C-FF99-45CB-BD37-4D7417E4E7FA}.cip"

Where, <binary_file_path> = Path of the supplemental policy in binary format.

Activate Supplemental Policy

To activate the supplemental policy, either reboot the machine or invoke the code integrity policy refresher tool. The tool tries to activate all policies in the active policy folder.

Use the following command to invoke WDCA refresher tool:
Invoke-WDACRefreshPolicyTool
You can also use the RefreshPolicy.exe to activate the Qualys supplemental policy. Download RefreshPolicy.exe and execute the following command.
<refresh_tool_path>\RefreshPolicy.exe

Where, <refresh_tool_path> = System path where the RefreshPolicy.exe is downloaded.
On successful activation of policies available in the active policy folder, the following success message is displayed in the output: Rebootless ConfigCI Policy Refreshing Succeeded!
Check the events log at the following location to see if the supplemental policy is successfully activated: Application and Services Logs > Microsoft > Windows > CodeIntegrity > Operational

To learn more about installing Windows Cloud Agent on Azure VMs, refer to Deploy Cloud Agent for Windows VMs via Azure Deployment Policy.