Recovered Microsoft Defender for Endpoint WDAC policy that is dropped to %windir%\System32\CodeIntegrity\ATPSiPolicy.p7b when "Restrict App Execution" is enabled for a device.

ATPSiPolicy.xml

<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx>
  <PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:UMCI</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Inherit Default Policy</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Advanced Boot Options Menu</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Update Policy No Reboot</Option>
    </Rule>
  </Rules>
  <EKUs>
    <EKU ID="ID_EKU_STORE" Value="010A2B0601040182374C0301" FriendlyName="Windows Store" />
  </EKUs>
  <Signers>
    <Signer ID="ID_SIGNER_PRODUCT_ROOT_MD5" Name="Microsoft Product Root 1997">
      <CertRoot Type="Wellknown" Value="04" />
    </Signer>
    <Signer ID="ID_SIGNER_PRODUCT_ROOT_SHA1" Name="Microsoft Product Root 2001">
      <CertRoot Type="Wellknown" Value="05" />
    </Signer>
    <Signer ID="ID_SIGNER_PRODUCT_ROOT" Name="Microsoft Product Root 2010">
      <CertRoot Type="Wellknown" Value="06" />
    </Signer>
    <Signer ID="ID_SIGNER_STANDARD_ROOT" Name="Microsoft Standard Root 2001">
      <CertRoot Type="Wellknown" Value="07" />
    </Signer>
    <Signer ID="ID_SIGNER_CODEVERIFICATION_ROOT" Name="Microsoft Code Verification Root 2006">
      <CertRoot Type="Wellknown" Value="08" />
    </Signer>
    <Signer ID="ID_SIGNER_DMD_ROOT" Name="Microsoft DMDRoot 2005">
      <CertRoot Type="Wellknown" Value="0C" />
    </Signer>
    <Signer ID="ID_SIGNER_FLIGHT_ROOT" Name="Microsoft Flight Root 2014">
      <CertRoot Type="Wellknown" Value="0E" />
    </Signer>
    <Signer ID="ID_SIGNER_TEST_ROOT" Name="Microsoft Test Root 2010">
      <CertRoot Type="Wellknown" Value="0A" />
    </Signer>
    <Signer ID="ID_SIGNER_PRODUCT_ROOT_MD5_USER" Name="Microsoft Product Root 1997">
      <CertRoot Type="Wellknown" Value="04" />
    </Signer>
    <Signer ID="ID_SIGNER_PRODUCT_ROOT_SHA1_USER" Name="Microsoft Product Root 2001">
      <CertRoot Type="Wellknown" Value="05" />
    </Signer>
    <Signer ID="ID_SIGNER_PRODUCT_ROOT_USER" Name="Microsoft Product Root 2010">
      <CertRoot Type="Wellknown" Value="06" />
    </Signer>
    <Signer ID="ID_SIGNER_STANDARD_ROOT_USER" Name="Microsoft Standard Root 2001">
      <CertRoot Type="Wellknown" Value="07" />
    </Signer>
    <Signer ID="ID_SIGNER_CODEVERIFICATION_ROOT_USER" Name="Microsoft Code Verification Root 2006">
      <CertRoot Type="Wellknown" Value="08" />
    </Signer>
    <Signer ID="ID_SIGNER_DMD_ROOT_USER" Name="Microsoft DMDRoot 2005">
      <CertRoot Type="Wellknown" Value="0C" />
    </Signer>
    <Signer ID="ID_SIGNER_FLIGHT_ROOT_USER" Name="Microsoft Flight Root 2014">
      <CertRoot Type="Wellknown" Value="0E" />
    </Signer>
    <Signer ID="ID_SIGNER_STORE" Name="Microsoft MarketPlace PCA 2011">
      <CertRoot Type="TBS" Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378" />
      <CertEKU ID="ID_EKU_STORE" />
    </Signer>
    <Signer ID="ID_SIGNER_TEST_ROOT_USER" Name="Microsoft Test Root 2010">
      <CertRoot Type="Wellknown" Value="0A" />
    </Signer>
    <Signer ID="ID_SIGNER_WDATPRESTRICTEXECUTION" Name="WdAtpRestrictExecution - Microsoft Defender for Endpoint Update Signer" >
      <CertRoot Type="TBS" Value="75EF3425733343967441E38BB096AE47B59BD39068218EEB5A6769F5FA54D091" />
    </Signer>
  </Signers>
  <SigningScenarios>
    <SigningScenario ID="ID_SIGNINGSCENARIO_DRIVERS_1" Value="131">
      <ProductSigners>
        <AllowedSigners>
          <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_MD5" />
          <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_SHA1" />
          <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT" />
          <AllowedSigner SignerId="ID_SIGNER_STANDARD_ROOT" />
          <AllowedSigner SignerId="ID_SIGNER_CODEVERIFICATION_ROOT" />
          <AllowedSigner SignerId="ID_SIGNER_DMD_ROOT" />
          <AllowedSigner SignerId="ID_SIGNER_FLIGHT_ROOT" />
          <AllowedSigner SignerId="ID_SIGNER_TEST_ROOT" />
        </AllowedSigners>
      </ProductSigners>
      <TestSigners />
      <TestSigningSigners />
    </SigningScenario>
    <SigningScenario ID="ID_SIGNINGSCENARIO_WINDOWS" Value="12">
      <ProductSigners>
        <AllowedSigners>
          <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_MD5_USER" />
          <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_SHA1_USER" />
          <AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_USER" />
          <AllowedSigner SignerId="ID_SIGNER_STANDARD_ROOT_USER" />
          <AllowedSigner SignerId="ID_SIGNER_CODEVERIFICATION_ROOT_USER" />
          <AllowedSigner SignerId="ID_SIGNER_DMD_ROOT_USER" />
          <AllowedSigner SignerId="ID_SIGNER_FLIGHT_ROOT_USER" />
          <AllowedSigner SignerId="ID_SIGNER_STORE" />
          <AllowedSigner SignerId="ID_SIGNER_TEST_ROOT_USER" />
        </AllowedSigners>
      </ProductSigners>
      <TestSigners />
      <TestSigningSigners />
    </SigningScenario>
  </SigningScenarios>
  <UpdatePolicySigners>
    <UpdatePolicySigner SignerId="ID_SIGNER_WDATPRESTRICTEXECUTION" />
  </UpdatePolicySigners>
  <CiSigners>
    <CiSigner SignerId="ID_SIGNER_STORE" />
  </CiSigners>
</SiPolicy>

This policy allows all Microsoft-signed and Microsoft Store-signed code to execute. This will not prevent Microsoft-signed LOLBins from executing. This policy is designed to "stop the bleeding" when a device is suspected to be compromised. To deploy this policy, enable "Restrict App Execution" from the MDE portal.

Policy GUID {4E61C68C-97F6-430B-9CD7-9B1004706770} corresponds to the binary policy that MDE drops to %windir%\System32\CodeIntegrity\ATPSiPolicy.p7b. You can confirm that the MDE policy is deployed on the endpoint with the following command: CiTool.exe --list-policies

When the policy is deployed, you should see a similar entry in the output:

Policy:
    Policy ID: 4e61c68c-97f6-430b-9cd7-9b1004706770
    Base Policy ID: 4e61c68c-97f6-430b-9cd7-9b1004706770
    Friendly Name:
    Version: 2814749767106560
    Platform Policy: true
    Has File on Disk: true
    Is Currently Enforced: true
    Is Authorized: true
    Status: 0

The MDE policy, 4e61c68c-97f6-430b-9cd7-9b1004706770 is enabled based on "Is Currently Enforced" showing "true".

Thanks to @jsecurity101 for geeking out with me about this!

So much fun!!