/BaseEnforcementPolicy.xml
Last active Dec 13, 2017
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Advanced Boot Options Menu</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Required:Enforce Store Applications</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Inherit Default Policy</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Disabled:Flight Signing</Option> | |
| </Rule> | |
| </Rules> | |
| <!--EKUS--> | |
| <EKUs> | |
| <EKU ID="ID_EKU_WINDOWS" Value="010A2B0601040182370A0306" FriendlyName="Windows System Component Verification - 1.3.6.1.4.1.311.10.3.6" /> | |
| <EKU ID="ID_EKU_WHQL" Value="010A2B0601040182370A0305" FriendlyName="Windows Hardware Driver Verification - 1.3.6.1.4.1.311.10.3.5" /> | |
| <EKU ID="ID_EKU_ELAM" Value="010A2B0601040182373D0401" FriendlyName="Early Launch Antimalware Driver - 1.3.6.1.4.1.311.61.4.1" /> | |
| <EKU ID="ID_EKU_HAL_EXT" Value="010A2B0601040182373D0501" FriendlyName="HAL Extension - 1.3.6.1.4.1.311.61.5.1" /> | |
| <EKU ID="ID_EKU_STORE" Value="010A2B0601040182374C0301" FriendlyName="Windows Store EKU - 1.3.6.1.4.1.311.76.3.1" /> | |
| <EKU ID="ID_EKU_DCODEGEN" Value="010A2B0601040182374C0501" FriendlyName="Dynamic Code Generation EKU - 1.3.6.1.4.1.311.76.5.1" /> | |
| <EKU ID="ID_EKU_AM" Value="010A2B0601040182374C0B01" FriendlyName="AntiMalware EKU - 1.3.6.1.4.1.311.76.11.1" /> | |
| </EKUs> | |
| <!--Signers--> | |
| <Signers> | |
| <Signer ID="ID_SIGNER_WHQL_MD5" Name="Microsoft Product Root WHQL EKU MD5"> | |
| <CertRoot Type="Wellknown" Value="04" /> | |
| <CertEKU ID="ID_EKU_WHQL" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WHQL_MD5_USER" Name="Microsoft Product Root WHQL EKU MD5"> | |
| <CertRoot Type="Wellknown" Value="04" /> | |
| <CertEKU ID="ID_EKU_WHQL" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WHQL_SHA1_USER" Name="Microsoft Product Root WHQL EKU SHA1"> | |
| <CertRoot Type="Wellknown" Value="05" /> | |
| <CertEKU ID="ID_EKU_WHQL" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WHQL_SHA1" Name="Microsoft Product Root WHQL EKU SHA1"> | |
| <CertRoot Type="Wellknown" Value="05" /> | |
| <CertEKU ID="ID_EKU_WHQL" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WINDOWS_PRODUCTION" Name="Microsoft Product Root 2010 Windows EKU"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| <CertEKU ID="ID_EKU_WINDOWS" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_ELAM_PRODUCTION" Name="Microsoft Product Root 2010 ELAM EKU"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| <CertEKU ID="ID_EKU_ELAM" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_HAL_PRODUCTION" Name="Microsoft Product Root 2010 HAL EKU"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| <CertEKU ID="ID_EKU_HAL_EXT" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WINDOWS_PRODUCTION_USER" Name="Microsoft Product Root 2010 Windows EKU"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| <CertEKU ID="ID_EKU_WINDOWS" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_ELAM_PRODUCTION_USER" Name="Microsoft Product Root 2010 ELAM EKU"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| <CertEKU ID="ID_EKU_ELAM" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_HAL_PRODUCTION_USER" Name="Microsoft Product Root 2010 HAL EKU"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| <CertEKU ID="ID_EKU_HAL_EXT" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WHQL_SHA2_USER" Name="Microsoft Product Root 2010 WHQL EKU"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| <CertEKU ID="ID_EKU_WHQL" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WHQL_SHA2" Name="Microsoft Product Root 2010 WHQL EKU"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| <CertEKU ID="ID_EKU_WHQL" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_DCODEGEN" Name="MincryptKnownRootMicrosoftProductRoot2010"> | |
| <CertRoot Type="Wellknown" Value="06" /> | |
| <CertEKU ID="ID_EKU_DCODEGEN" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_AM" Name="MincryptKnownRootMicrosoftStandardRoot2011"> | |
| <CertRoot Type="Wellknown" Value="07" /> | |
| <CertEKU ID="ID_EKU_AM" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_DRM" Name="MincryptKnownRootMicrosoftDMDRoot2005"> | |
| <CertRoot Type="Wellknown" Value="0C" /> | |
| </Signer> | |
| <!-- Start: Flighting related signers --> | |
| <Signer ID="ID_SIGNER_WINDOWS_FLIGHT_ROOT" Name="Microsoft Flighting Root 2014 Windows EKU"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| <CertEKU ID="ID_EKU_WINDOWS" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_ELAM_FLIGHT" Name="Microsoft Flighting Root 2014 ELAM EKU"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| <CertEKU ID="ID_EKU_ELAM" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_HAL_FLIGHT" Name="Microsoft Flighting Root 2014 HAL EKU"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| <CertEKU ID="ID_EKU_HAL_EXT" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WHQL_FLIGHT_SHA2" Name="Microsoft Flighting Root 2014 WHQL EKU"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| <CertEKU ID="ID_EKU_WHQL" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WINDOWS_FLIGHT_ROOT_USER" Name="Microsoft Flighting Root 2014 Windows EKU"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| <CertEKU ID="ID_EKU_WINDOWS" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_ELAM_FLIGHT_USER" Name="Microsoft Flighting Root 2014 ELAM EKU"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| <CertEKU ID="ID_EKU_ELAM" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_HAL_FLIGHT_USER" Name="Microsoft Flighting Root 2014 HAL EKU"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| <CertEKU ID="ID_EKU_HAL_EXT" /> | |
| </Signer> | |
| <Signer ID="ID_SIGNER_WHQL_FLIGHT_SHA2_USER" Name="Microsoft Flighting Root 2014 WHQL EKU"> | |
| <CertRoot Type="Wellknown" Value="0E" /> | |
| <CertEKU ID="ID_EKU_WHQL" /> | |
| </Signer> | |
| <!-- End: Flighting related signers --> | |
| <Signer ID="ID_SIGNER_STORE" Name="Microsoft MarketPlace PCA 2011"> | |
| <CertRoot Type="TBS" Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378" /> | |
| <CertEKU ID="ID_EKU_STORE" /> | |
| </Signer> | |
| </Signers> | |
| <SigningScenarios> | |
| <!--Kernel Mode Signing Scenario--> | |
| <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_KMCI" FriendlyName="Kernel Mode Signing Scenario"> | |
| <ProductSigners> | |
| <AllowedSigners> | |
| <AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION" /> | |
| <AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION" /> | |
| <AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION" /> | |
| <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2" /> | |
| <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1" /> | |
| <AllowedSigner SignerId="ID_SIGNER_WHQL_MD5" /> | |
| <AllowedSigner SignerId="ID_SIGNER_WINDOWS_FLIGHT_ROOT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_ELAM_FLIGHT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_HAL_FLIGHT" /> | |
| <AllowedSigner SignerId="ID_SIGNER_WHQL_FLIGHT_SHA2" /> | |
| </AllowedSigners> | |
| </ProductSigners> | |
| </SigningScenario> | |
| <!--User Mode Signing Scenario--> | |
| <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_UMCI" FriendlyName="User Mode Signing Scenario"> | |
| <ProductSigners> | |
| <AllowedSigners> | |
| <AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_WHQL_MD5_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_WINDOWS_FLIGHT_ROOT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_ELAM_FLIGHT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_HAL_FLIGHT_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_WHQL_FLIGHT_SHA2_USER" /> | |
| <AllowedSigner SignerId="ID_SIGNER_STORE" /> | |
| <AllowedSigner SignerId="ID_SIGNER_DRM" /> | |
| <AllowedSigner SignerId="ID_SIGNER_DCODEGEN" /> | |
| <AllowedSigner SignerId="ID_SIGNER_AM" /> | |
| </AllowedSigners> | |
| </ProductSigners> | |
| </SigningScenario> | |
| </SigningScenarios> | |
| <UpdatePolicySigners> | |
| </UpdatePolicySigners> | |
| <!-- | |
| CiSigners are signers that ConfigCI asks CI to trust for all builds, include | |
| retail builds. | |
| Normally CiSigners is empty or only includes production signers. For enterprise | |
| ConfigCI policy, you may need to include enterprise signers. Just make sure it | |
| is understood that CiSigners will be trusted by CI for all builds. | |
| --> | |
| <CiSigners> | |
| <!-- | |
| Currently Centennial Apps are launched as Win32 Apps and signed by store certificate. | |
| We need to allow enterprise signing scenario to trust store certificate. | |
| --> | |
| <CiSigner SignerId="ID_SIGNER_STORE" /> | |
| </CiSigners> | |
| <HvciOptions>0</HvciOptions> | |
| <Settings> | |
| <Setting Provider="PolicyInfo" Key="Information" ValueName="Name"> | |
| <Value> | |
| <String>BaseWindowsDeviceGuardCIPolicy</String> | |
| </Value> | |
| </Setting> | |
| </Settings> | |
| </SiPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment