Skip to content

Instantly share code, notes, and snippets.

@mattifestation

mattifestation/SurfaceSIPolicy.xml

Created December 24, 2019 12:27
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mattifestation/cb48b34a1c668822bbc93b165185ad33 to your computer and use it in GitHub Desktop.
Save mattifestation/cb48b34a1c668822bbc93b165185ad33 to your computer and use it in GitHub Desktop.
Download ZIP
Since Windows 10 S won't update due to code signing issues, I rolled my own variant of the 10 S policy for my Surface device.
Raw
SurfaceSIPolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
<Option>Required:WHQL</Option>
</Rule>
<Rule>
<Option>Enabled:Dynamic Code Security</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Enabled:Inherit Default Policy</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:Update Policy No Reboot</Option>
</Rule>
<Rule>
<Option>Disabled:Flight Signing</Option>
</Rule>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
</Rules>
<EKUs>
<EKU ID="ID_EKU_WINDOWS" Value="010A2B0601040182370A0306" FriendlyName="Windows System Component Verification" />
<EKU ID="ID_EKU_WHQL" Value="010A2B0601040182370A0305" FriendlyName="Windows Hardware Driver Verification" />
<EKU ID="ID_EKU_ELAM" Value="010A2B0601040182373D0401" FriendlyName="Early Launch Antimalware Driver" />
<EKU ID="ID_EKU_HAL_EXT" Value="010A2B0601040182373D0501" FriendlyName="HAL Extension" />
<EKU ID="ID_EKU_RT_EXT" Value="010A2B0601040182370A0315" FriendlyName="Windows RT Verification" />
<EKU ID="ID_EKU_STORE" Value="010A2B0601040182374C0301" FriendlyName="Windows Store" />
<EKU ID="ID_EKU_DCODEGEN" Value="010A2B0601040182374C0501" FriendlyName="Dynamic Code Generator" />
<EKU ID="ID_EKU_AM" Value="010A2B0601040182374C0B01" FriendlyName="AntiMalware EKU -1.3.6.1.4.1.311.76.11.1" />
</EKUs>
<FileRules>
<Deny ID="ID_DENY_D_0001" FileName="bash.exe" />
<Deny ID="ID_DENY_D_0002" FileName="CDB.Exe" />
<Deny ID="ID_DENY_D_0003" FileName="cmd.Exe" />
<Deny ID="ID_DENY_D_0004" FileName="cscript.exe" />
<Deny ID="ID_DENY_D_0005" FileName="csi.Exe" />
<Deny ID="ID_DENY_D_0006" FileName="dnx.Exe" />
<Deny ID="ID_DENY_D_0007" FileName="fsi.exe" />
<Deny ID="ID_DENY_D_0008" FileName="hh.exe" />
<Deny ID="ID_DENY_D_0009" FileName="infdefaultinstall.exe" />
<Deny ID="ID_DENY_D_000A" FileName="kd.Exe" />
<Deny ID="ID_DENY_D_000B" FileName="lxrun.exe" />
<Deny ID="ID_DENY_D_000C" FileName="lxssmanager.dll" />
<Deny ID="ID_DENY_D_000D" FileName="lxssmanager.exe" />
<Deny ID="ID_DENY_D_000E" FileName="Microsoft.Workflow.Compiler.exe" />
<Deny ID="ID_DENY_D_000F" FileName="MSBuild.Exe" />
<Deny ID="ID_DENY_D_0010" FileName="mshta.exe" />
<Deny ID="ID_DENY_D_0011" FileName="ntsd.Exe" />
<Deny ID="ID_DENY_D_0012" FileName="powershellcustomhost.exe" />
<Deny ID="ID_DENY_D_0013" FileName="rcsi.Exe" />
<Deny ID="ID_DENY_D_0014" FileName="reg.exe" />
<Deny ID="ID_DENY_D_0015" FileName="regedit.exe" />
<Deny ID="ID_DENY_D_0016" FileName="regedt32.exe" />
<Deny ID="ID_DENY_D_0017" FileName="regini.exe" />
<Deny ID="ID_DENY_D_0018" FileName="runscripthelper.exe" />
<Deny ID="ID_DENY_D_0019" FileName="samlock.exe" />
<Deny ID="ID_DENY_D_001A" FileName="wbemtest.exe" />
<Deny ID="ID_DENY_D_001B" FileName="windbg.Exe" />
<Deny ID="ID_DENY_D_001C" FileName="wmic.exe" />
<Deny ID="ID_DENY_D_001D" FileName="wscript.exe" />
<Deny ID="ID_DENY_D_001E" FileName="wsl.exe" />
<Deny ID="ID_DENY_D_001F" FileName="wslconfig.exe" />
<Deny ID="ID_DENY_D_0020" FileName="wslhost.exe" />
<Deny ID="ID_DENY_D_0021" FileName="MSBuild.dll" />
<Deny ID="ID_DENY_D_0022" FileName="dotnet.exe" />
<Deny ID="ID_DENY_D_0023" FileName="Microsoft.Build.dll" />
<Deny ID="ID_DENY_D_0024" FileName="Microsoft.Build.Framework.dll" />
<!-- Win 10 1909 - Will require periodic updating -->
<!-- To block all previous versions, take the current version and subtract by one -->
<Deny ID="ID_DENY_D_0025" FileName="msxml3.dll" MinimumFileVersion ="8.110.18362.238"/>
<Deny ID="ID_DENY_D_0026" FileName="msxml6.dll" MinimumFileVersion ="6.30.18362.417"/>
<Deny ID="ID_DENY_D_0027" FileName="jscript9.dll" MinimumFileVersion ="11.00.18362.0"/>
</FileRules>
<Signers>
<Signer Name="MincryptKnownRootMicrosoftDMDRoot2005" ID="ID_SIGNER_DRM">
<CertRoot Type="Wellknown" Value="0C" />
</Signer>
<Signer Name="MincryptKnownRootMicrosoftProductRoot2010" ID="ID_SIGNER_DCODEGEN">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_DCODEGEN" />
</Signer>
<Signer Name="MincryptKnownRootMicrosoftStandardRoot2011" ID="ID_SIGNER_AM">
<CertRoot Type="Wellknown" Value="07" />
<CertEKU ID="ID_EKU_AM" />
</Signer>
<Signer Name="Microsoft Product Root 2010 Windows EKU" ID="ID_SIGNER_WINDOWS_PRODUCTION">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>
<Signer Name="Microsoft Product Root 2010 ELAM EKU" ID="ID_SIGNER_ELAM_PRODUCTION">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_ELAM" />
</Signer>
<Signer Name="Microsoft Product Root 2010 HAL EKU" ID="ID_SIGNER_HAL_PRODUCTION">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_HAL_EXT" />
</Signer>
<Signer Name="Microsoft Product Root 2010 WHQL EKU" ID="ID_SIGNER_WHQL_SHA2">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Microsoft Product Root WHQL EKU SHA1" ID="ID_SIGNER_WHQL_SHA1">
<CertRoot Type="Wellknown" Value="05" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Microsoft Product Root WHQL EKU MD5" ID="ID_SIGNER_WHQL_MD5">
<CertRoot Type="Wellknown" Value="04" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Signer 16" ID="ID_SIGNER_STORE">
<CertRoot Type="TBS" Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378" />
<CertEKU ID="ID_EKU_STORE" />
</Signer>
<Signer Name="Microsoft Product Root 2010 RT EKU" ID="ID_SIGNER_RT_PRODUCTION">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_RT_EXT" />
</Signer>
<Signer Name="Microsoft Standard Root 2001 RT EKU" ID="ID_SIGNER_RT_STANDARD">
<CertRoot Type="Wellknown" Value="07" />
<CertEKU ID="ID_EKU_RT_EXT" />
</Signer>
<Signer Name="Microsoft Windows PCA 2010" ID="ID_SIGNER_MSFT_PCA_2010_AM">
<CertRoot Type="TBS" Value="90C9669670E75989159E6EEF69625EB6AD17CBA6209ED56F5665D55450A05212" />
<CertEKU ID="ID_EKU_AM" />
</Signer>
</Signers>
<SigningScenarios>
<SigningScenario ID="ID_SIGNINGSCENARIO_DRIVERS_1" Value="131">
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_MD5" />
<AllowedSigner SignerId="ID_SIGNER_MSFT_PCA_2010_AM" />
</AllowedSigners>
</ProductSigners>
<TestSigners />
<TestSigningSigners />
</SigningScenario>
<SigningScenario ID="ID_SIGNINGSCENARIO_WINDOWS" Value="12">
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_MD5" />
<AllowedSigner SignerId="ID_SIGNER_STORE" />
<AllowedSigner SignerId="ID_SIGNER_RT_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_DRM" />
<AllowedSigner SignerId="ID_SIGNER_DCODEGEN" />
<AllowedSigner SignerId="ID_SIGNER_AM" />
<AllowedSigner SignerId="ID_SIGNER_RT_STANDARD" />
<AllowedSigner SignerId="ID_SIGNER_MSFT_PCA_2010_AM" />
</AllowedSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_D_0001" />
<FileRuleRef RuleID="ID_DENY_D_0002" />
<FileRuleRef RuleID="ID_DENY_D_0003" />
<FileRuleRef RuleID="ID_DENY_D_0004" />
<FileRuleRef RuleID="ID_DENY_D_0005" />
<FileRuleRef RuleID="ID_DENY_D_0006" />
<FileRuleRef RuleID="ID_DENY_D_0007" />
<FileRuleRef RuleID="ID_DENY_D_0008" />
<FileRuleRef RuleID="ID_DENY_D_0009" />
<FileRuleRef RuleID="ID_DENY_D_000A" />
<FileRuleRef RuleID="ID_DENY_D_000B" />
<FileRuleRef RuleID="ID_DENY_D_000C" />
<FileRuleRef RuleID="ID_DENY_D_000D" />
<FileRuleRef RuleID="ID_DENY_D_000E" />
<FileRuleRef RuleID="ID_DENY_D_000F" />
<FileRuleRef RuleID="ID_DENY_D_0010" />
<FileRuleRef RuleID="ID_DENY_D_0011" />
<FileRuleRef RuleID="ID_DENY_D_0012" />
<FileRuleRef RuleID="ID_DENY_D_0013" />
<FileRuleRef RuleID="ID_DENY_D_0014" />
<FileRuleRef RuleID="ID_DENY_D_0015" />
<FileRuleRef RuleID="ID_DENY_D_0016" />
<FileRuleRef RuleID="ID_DENY_D_0017" />
<FileRuleRef RuleID="ID_DENY_D_0018" />
<FileRuleRef RuleID="ID_DENY_D_0019" />
<FileRuleRef RuleID="ID_DENY_D_001A" />
<FileRuleRef RuleID="ID_DENY_D_001B" />
<FileRuleRef RuleID="ID_DENY_D_001C" />
<FileRuleRef RuleID="ID_DENY_D_001D" />
<FileRuleRef RuleID="ID_DENY_D_001E" />
<FileRuleRef RuleID="ID_DENY_D_001F" />
<FileRuleRef RuleID="ID_DENY_D_0020" />
<FileRuleRef RuleID="ID_DENY_D_0021" />
<FileRuleRef RuleID="ID_DENY_D_0022" />
<FileRuleRef RuleID="ID_DENY_D_0023" />
<FileRuleRef RuleID="ID_DENY_D_0024" />
<FileRuleRef RuleID="ID_DENY_D_0025" />
<FileRuleRef RuleID="ID_DENY_D_0026" />
<FileRuleRef RuleID="ID_DENY_D_0027" />
</FileRulesRef>
</ProductSigners>
<TestSigners />
<TestSigningSigners />
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners>
<CiSigner SignerId="ID_SIGNER_STORE" />
</CiSigners>
<Settings>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Name">
<Value>
<String>Surface_Lockdown_Policy</String>
</Value>
</Setting>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Id">
<Value>
<String>12_24_2019</String>
</Value>
</Setting>
</Settings>
</SiPolicy>
@mianubaid
Copy link

mianubaid commented Aug 7, 2023
edited

Hi @mattifestation, could you please provide your advice on blocking batch files as per my experience of working with WDAC, I cannot see an option to block [.bat] files. We can block cmd completely but that what we don't want. The idea is to at least block batch files within standard user profile.
Any idea to implement the above will be much appreciated.

@mattifestation
Copy link
Author

Hello, @mianubaid. WDAC doesn't work with .bat files by design. AppLocker can be used to audit/block .bat execution, however. Just note that .bat blocking is a weak mitigation and easy to bypass. You would at least benefit from execution attempts being logged.

@mianubaid
Copy link

Thank @mattifestation. I already deployed WDAC + AppLocker Script rule collection to cover blocking of cmd/bat files. Just checking if there is a way so that we can only rely on WDAC to achieve this.
From Microsoft: "WDAC doesn't directly control code run via the Windows Command Processor (cmd.exe), including .bat/.cmd script files. However, anything that such a batch script tries to run is subject to WDAC control. If you don't need to run cmd.exe, it's recommended to block it outright or allow it only by exception based on the calling process." The last line which says only allow it by exception based on calling process makes me think that we can limit but not sure how?
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement
Thanks again for your reply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment