-
-
Save nasbench/8cfe36c2be67995271fc0b1fa5200cf8 to your computer and use it in GitHub Desktop.
Recovered Microsoft Defender for Endpoint WDAC policy that is dropped to %windir%\System32\CodeIntegrity\ATPSiPolicy.p7b when "Restrict App Execution" is enabled for a device.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Inherit Default Policy</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Advanced Boot Options Menu</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Update Policy No Reboot</Option> | |
| </Rule> | |
| </Rules> | |
| <EKUs> | |
| <EKU ID="ID_EKU_STORE" Value="010A2B0601040182374C0301" FriendlyName="Windows Store" /> | |
| </EKUs> | |
| <Signers> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT_MD5" Name="Microsoft Product Root 1997"> | |
| <CertRoot Type="Wellknown" Value="04" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT_SHA1" Name="Microsoft Product Root 2001"> | |
| <CertRoot Type="Wellknown" Value="05" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT" Name="Microsoft Product Root 2010"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_STANDARD_ROOT" Name="Microsoft Standard Root 2001"> | |
| <CertRoot Type="Wellknown" Value="07" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_CODEVERIFICATION_ROOT" Name="Microsoft Code Verification Root 2006"> | |
| <CertRoot Type="Wellknown" Value="08" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_DMD_ROOT" Name="Microsoft DMDRoot 2005"> | |
| <CertRoot Type="Wellknown" Value="0C" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_FLIGHT_ROOT" Name="Microsoft Flight Root 2014"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_TEST_ROOT" Name="Microsoft Test Root 2010"> | |
| <CertRoot Type="Wellknown" Value="0A" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT_MD5_USER" Name="Microsoft Product Root 1997"> | |
| <CertRoot Type="Wellknown" Value="04" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT_SHA1_USER" Name="Microsoft Product Root 2001"> | |
| <CertRoot Type="Wellknown" Value="05" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_PRODUCT_ROOT_USER" Name="Microsoft Product Root 2010"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_STANDARD_ROOT_USER" Name="Microsoft Standard Root 2001"> | |
| <CertRoot Type="Wellknown" Value="07" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_CODEVERIFICATION_ROOT_USER" Name="Microsoft Code Verification Root 2006"> | |
| <CertRoot Type="Wellknown" Value="08" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_DMD_ROOT_USER" Name="Microsoft DMDRoot 2005"> | |
| <CertRoot Type="Wellknown" Value="0C" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_FLIGHT_ROOT_USER" Name="Microsoft Flight Root 2014"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_STORE" Name="Microsoft MarketPlace PCA 2011"> | |
| <CertRoot Type="TBS" Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378" /> | |
| <CertEKU ID="ID_EKU_STORE" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_TEST_ROOT_USER" Name="Microsoft Test Root 2010"> | |
| <CertRoot Type="Wellknown" Value="0A" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WDATPRESTRICTEXECUTION" Name="WdAtpRestrictExecution - Microsoft Defender for Endpoint Update Signer" > | |
| <CertRoot Type="TBS" Value="75EF3425733343967441E38BB096AE47B59BD39068218EEB5A6769F5FA54D091" /> | |
| </Signer> | |
| </Signers> | |
| <SigningScenarios> | |
| <SigningScenario ID="ID_SIGNINGSCENARIO_DRIVERS_1" Value="131"> | |
| <ProductSigners> | |
| <AllowedSigners> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_MD5" /> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_SHA1" /> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_STANDARD_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_CODEVERIFICATION_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_DMD_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_FLIGHT_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_TEST_ROOT" /> | |
| </AllowedSigners> | |
| </ProductSigners> | |
| <TestSigners /> | |
| <TestSigningSigners /> | |
| </SigningScenario> | |
| <SigningScenario ID="ID_SIGNINGSCENARIO_WINDOWS" Value="12"> | |
| <ProductSigners> | |
| <AllowedSigners> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_MD5_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_SHA1_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_STANDARD_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_CODEVERIFICATION_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_DMD_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_FLIGHT_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_STORE" /> | |
| <AllowedSigner SignerId="ID_SIGNER_TEST_ROOT_USER" /> | |
| </AllowedSigners> | |
| </ProductSigners> | |
| <TestSigners /> | |
| <TestSigningSigners /> | |
| </SigningScenario> | |
| </SigningScenarios> | |
| <UpdatePolicySigners> | |
| <UpdatePolicySigner SignerId="ID_SIGNER_WDATPRESTRICTEXECUTION" /> | |
| </UpdatePolicySigners> | |
| <CiSigners> | |
| <CiSigner SignerId="ID_SIGNER_STORE" /> | |
| </CiSigners> | |
| </SiPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment