Windows 10: Unable to sign WDAC policy filebin or p7b file.

Hi,To sign our WDAC policy file we are following Microsoft article Use signed policies to protect Windows Defender Application Control. In order to sign SIPolicy file we need to have code signing certificate. We need few clarifications which are described below:1 As per above mentioned link, it specifically needs ContosoSigningCert code signing certificate to sign the WDAC policy, below is the mentioned command. As we are unable to get this certificate, can you please provide us this certificate. Or in case we can sign it with some other certificate, please share information regarding that.&l

:)

 

Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph

Hi,



Thank you for writing to Microsoft Community Forums.



In order to enable trust for executables based on classifications in the ISG, the
Enabled:Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the
Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG.



Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate
trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to
build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.



Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. It is straightforward to authorize modern apps with
signer rules in the WDAC policy.



Enabled:Intelligent Security Graph Authorization -> Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG).



Enabled:Invalidate EAs on Reboot -> When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically
re-validate the reputation for files that were authorized by the ISG.



For more information, you may refer the below articles.

• Use
  Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph.
  
• Deploy Windows
  Defender Application Control policy rules and file rules.
  
• Use
  signed policies to protect Windows Defender Application Control against tampering.
  

If you still have questions, then I suggest you to post your query in
IT Pro TechNet Forums, where we have support
professionals who are well equipped with the knowledge on Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph.



Please feel free to contact us back, in case you have any other questions/issues with Windows in future.

 

Allow WDAC application Control policy to allow Microsoft patches to run

Hello All,

I have created WDAC policy on Windows 10 enterprise. I created the WDAC policy in the following method:

I used the following files to merged and created the .BIN file

1. AllowMicrosoft.xml(default Microsoft example files that comes with he OS- to allow Microsoft program to run)

2.Program Files.xml(scanned the program Files for installed applications)

3.Program Filesx86.xml(scanned the program Filesx86 for installed applications)

4 BlockRules.xml(Microsoft recommended block rules for WDAC)

Merged the above 4 files and created the Mypolicy.xml and convertd to .bin files and copy to SIPolicy.p7b

However I can see Microsoft office patches(.MSP) downloaded from WSUs violated the code integrity.

I would like to know how to bypass the patch files in CI policy.I believe I cant scan the folder and merge with the existing policy as patch files would be different for different period?

one of the error msg :

code integriy module \windows\installer\MSI8448.tmp against policy

anybody can shed some light would be appreciated.

Thank you,

Regards,

Alles

 

WDAC powershell policy using import-climl for policy rules error

I've used the Microsoft documentation example code to create a powershell script that takes a Microsoft Base WDAC policy and adds filepaths rules and policy options. This is great as I can store the small powershell script in source control and easily make changes & reproduce updated WDAC policies when needed.

However, I can't do this when using publisher level rules as I need direct access to those files each time to scan the file to run "New-CIPolicyRule -Level Publisher". I can't have all these files & apps on my authoring computer, nor can I get network access to them all.

I'm hoping I can scan the file then use export-clixml to save the results of the scan, then save this in my code repo and use import-clixml to get that object back later. I'm getting the error:

Merge-CIPolicy : Cannot bind parameter 'Rules'. Cannot convert value "Microsoft.SecureBoot.UserConfig.Rule" to type "Microsoft.SecureBoot.UserConfig.Rule". Error: "Cannot convert the "Microsoft.SecureBoot.UserConfig.Rule" value

of type "Deserialized.Microsoft.SecureBoot.UserConfig.Rule" to type "Microsoft.SecureBoot.UserConfig.Rule"."

any tips?