projects/declarative-ad-framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
declarative-ad-framework/gpo/adminworkstations-01/WDACPolicy.xml
Damien Coles f172d00514 Initial release: Declarative AD Framework v2.1.0 
Infrastructure-as-code framework for Active Directory objects and Group Policy.
Sanitized from production deployment for public sharing.
2026-02-19 17:02:42 +00:00

170 lines
7.5 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!--
WDAC Baseline: AllowMicrosoft (Audit Mode)
Trusts all binaries signed by Microsoft root certificates and WHQL-certified
drivers. Audit mode logs CodeIntegrity event 3076 for anything that would be
blocked, without actually blocking execution.
Review audit logs before switching to enforce mode:
Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' |
Where-Object Id -eq 3076
Based on Microsoft's AllowMicrosoft template.
-->
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy">
<VersionEx>10.0.1.0</VersionEx>
<PolicyID>{7BE95702-9AD4-402C-BCCE-87D8587E0F7D}</PolicyID>
<BasePolicyID>{7BE95702-9AD4-402C-BCCE-87D8587E0F7D}</BasePolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<!-- User-mode code integrity: enforce policy on applications, not just drivers -->
<Rule><Option>Enabled:UMCI</Option></Rule>
<!-- AUDIT MODE: log violations (event 3076) without blocking -->
<Rule><Option>Enabled:Audit Mode</Option></Rule>
<!-- Do not trust Windows Insider / flighting-signed binaries -->
<Rule><Option>Disabled:Flight Signing</Option></Rule>
<!-- Policy is unsigned (no secure boot signing required) -->
<Rule><Option>Enabled:Unsigned System Integrity Policy</Option></Rule>
<!-- Allow F8 boot menu for physically present users -->
<Rule><Option>Enabled:Advanced Boot Options Menu</Option></Rule>
<!-- Policy updates apply without reboot -->
<Rule><Option>Enabled:Update Policy No Reboot</Option></Rule>
<!-- Allow supplemental policies to extend this base -->
<Rule><Option>Enabled:Allow Supplemental Policies</Option></Rule>
</Rules>
<EKUs>
<EKU ID="ID_EKU_WINDOWS" FriendlyName="Windows System Component Verification - 1.3.6.1.4.1.311.10.3.6" Value="010A2B0601040182370A0306" />
<EKU ID="ID_EKU_WHQL" FriendlyName="WHQL Crypto - 1.3.6.1.4.1.311.10.3.5" Value="010A2B0601040182370A0305" />
<EKU ID="ID_EKU_ELAM" FriendlyName="Early Launch AntiMalware - 1.3.6.1.4.1.311.61.4.1" Value="010A2B0601040182373D0401" />
<EKU ID="ID_EKU_HAL_EXT" FriendlyName="HAL Extension - 1.3.6.1.4.1.311.61.5.1" Value="010A2B0601040182373D0501" />
<EKU ID="ID_EKU_STORE" FriendlyName="Windows Store - 1.3.6.1.4.1.311.76.3.1" Value="010A2B0601040182374C0301" />
</EKUs>
<FileRules>
<!-- RefreshPolicy.exe: allows policy refresh without reboot -->
<FileAttrib ID="ID_FILEATTRIB_REFRESH_POLICY" FriendlyName="RefreshPolicy.exe FileAttribute" FileName="RefreshPolicy.exe" MinimumFileVersion="10.0.19042.0" />
</FileRules>
<Signers>
<!-- ============================================================= -->
<!-- Kernel-mode signers -->
<!-- ============================================================= -->
<!-- Microsoft Product Root 2010: all Microsoft-signed binaries -->
<Signer ID="ID_SIGNER_MICROSOFT_PRODUCTION" Name="Microsoft Product Root 2010">
<CertRoot Type="Wellknown" Value="06" />
</Signer>
<!-- Microsoft Product Root 2001: legacy Microsoft-signed binaries -->
<Signer ID="ID_SIGNER_MICROSOFT_2001" Name="Microsoft Product Root 2001">
<CertRoot Type="Wellknown" Value="05" />
</Signer>
<!-- Microsoft Product Root 1997: oldest legacy binaries -->
<Signer ID="ID_SIGNER_MICROSOFT_1997" Name="Microsoft Product Root 1997">
<CertRoot Type="Wellknown" Value="04" />
</Signer>
<!-- Microsoft Standard Root 2011: standard-signed applications -->
<Signer ID="ID_SIGNER_MICROSOFT_STANDARD" Name="Microsoft Standard Root 2011">
<CertRoot Type="Wellknown" Value="07" />
</Signer>
<!-- Microsoft Code Verification Root 2006 -->
<Signer ID="ID_SIGNER_MICROSOFT_CODEVERIF" Name="Microsoft Code Verification Root 2006">
<CertRoot Type="Wellknown" Value="08" />
</Signer>
<!-- ============================================================= -->
<!-- User-mode signer duplicates (same roots, separate IDs) -->
<!-- ============================================================= -->
<Signer ID="ID_SIGNER_MICROSOFT_PRODUCTION_USER" Name="Microsoft Product Root 2010">
<CertRoot Type="Wellknown" Value="06" />
</Signer>
<Signer ID="ID_SIGNER_MICROSOFT_2001_USER" Name="Microsoft Product Root 2001">
<CertRoot Type="Wellknown" Value="05" />
</Signer>
<Signer ID="ID_SIGNER_MICROSOFT_1997_USER" Name="Microsoft Product Root 1997">
<CertRoot Type="Wellknown" Value="04" />
</Signer>
<Signer ID="ID_SIGNER_MICROSOFT_STANDARD_USER" Name="Microsoft Standard Root 2011">
<CertRoot Type="Wellknown" Value="07" />
</Signer>
<Signer ID="ID_SIGNER_MICROSOFT_CODEVERIF_USER" Name="Microsoft Code Verification Root 2006">
<CertRoot Type="Wellknown" Value="08" />
</Signer>
<!-- ============================================================= -->
<!-- User-mode-only signers -->
<!-- ============================================================= -->
<!-- Windows Store (MarketPlace PCA 2011) -->
<Signer ID="ID_SIGNER_STORE" Name="Microsoft MarketPlace PCA 2011">
<CertRoot Type="TBS" Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378" />
<CertEKU ID="ID_EKU_STORE" />
</Signer>
<!-- RefreshPolicy.exe signer (Code Signing PCA 2011) -->
<Signer ID="ID_SIGNER_MICROSOFT_REFRESH_POLICY" Name="Microsoft Code Signing PCA 2011">
<CertRoot Type="TBS" Value="F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E" />
<CertPublisher Value="Microsoft Corporation" />
<FileAttribRef RuleID="ID_FILEATTRIB_REFRESH_POLICY" />
</Signer>
</Signers>
<SigningScenarios>
<!-- Kernel Mode (131): drivers and kernel components -->
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_KMCI" FriendlyName="Kernel Mode Signing Scenario">
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_2001" />
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_1997" />
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_STANDARD" />
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_CODEVERIF" />
</AllowedSigners>
</ProductSigners>
</SigningScenario>
<!-- User Mode (12): applications, DLLs, scripts -->
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_UMCI" FriendlyName="User Mode Signing Scenario">
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_PRODUCTION_USER" />
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_2001_USER" />
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_1997_USER" />
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_STANDARD_USER" />
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_CODEVERIF_USER" />
<AllowedSigner SignerId="ID_SIGNER_STORE" />
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_REFRESH_POLICY" />
</AllowedSigners>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners>
<CiSigner SignerId="ID_SIGNER_STORE" />
</CiSigners>
<HvciOptions>0</HvciOptions>
<Settings>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Name">
<Value><String>Example-WDAC-AllowMicrosoft-Audit</String></Value>
</Setting>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Id">
<Value><String>7BE95702</String></Value>
</Setting>
</Settings>
</SiPolicy>
Reference in New Issue View Git Blame Copy Permalink