Skip to content

Instantly share code, notes, and snippets.

@nasbench

nasbench/ATPSiPolicy.xml

Forked from mgraeber-rc/ATPSiPolicy.xml
Created September 12, 2023 19:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nasbench/8cfe36c2be67995271fc0b1fa5200cf8 to your computer and use it in GitHub Desktop.
Save nasbench/8cfe36c2be67995271fc0b1fa5200cf8 to your computer and use it in GitHub Desktop.
Download ZIP
Recovered Microsoft Defender for Endpoint WDAC policy that is dropped to %windir%\System32\CodeIntegrity\ATPSiPolicy.p7b when "Restrict App Execution" is enabled for a device.
Raw
ATPSiPolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
<Option>Enabled:Inherit Default Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Enabled:Update Policy No Reboot</Option>
</Rule>
</Rules>
<EKUs>
<EKU ID="ID_EKU_STORE" Value="010A2B0601040182374C0301" FriendlyName="Windows Store" />
</EKUs>
<Signers>
<Signer ID="ID_SIGNER_PRODUCT_ROOT_MD5" Name="Microsoft Product Root 1997">
<CertRoot Type="Wellknown" Value="04" />
</Signer>
<Signer ID="ID_SIGNER_PRODUCT_ROOT_SHA1" Name="Microsoft Product Root 2001">
<CertRoot Type="Wellknown" Value="05" />
</Signer>
<Signer ID="ID_SIGNER_PRODUCT_ROOT" Name="Microsoft Product Root 2010">
<CertRoot Type="Wellknown" Value="06" />
</Signer>
<Signer ID="ID_SIGNER_STANDARD_ROOT" Name="Microsoft Standard Root 2001">
<CertRoot Type="Wellknown" Value="07" />
</Signer>
<Signer ID="ID_SIGNER_CODEVERIFICATION_ROOT" Name="Microsoft Code Verification Root 2006">
<CertRoot Type="Wellknown" Value="08" />
</Signer>
<Signer ID="ID_SIGNER_DMD_ROOT" Name="Microsoft DMDRoot 2005">
<CertRoot Type="Wellknown" Value="0C" />
</Signer>
<Signer ID="ID_SIGNER_FLIGHT_ROOT" Name="Microsoft Flight Root 2014">
<CertRoot Type="Wellknown" Value="0E" />
</Signer>
<Signer ID="ID_SIGNER_TEST_ROOT" Name="Microsoft Test Root 2010">
<CertRoot Type="Wellknown" Value="0A" />
</Signer>
<Signer ID="ID_SIGNER_PRODUCT_ROOT_MD5_USER" Name="Microsoft Product Root 1997">
<CertRoot Type="Wellknown" Value="04" />
</Signer>
<Signer ID="ID_SIGNER_PRODUCT_ROOT_SHA1_USER" Name="Microsoft Product Root 2001">
<CertRoot Type="Wellknown" Value="05" />
</Signer>
<Signer ID="ID_SIGNER_PRODUCT_ROOT_USER" Name="Microsoft Product Root 2010">
<CertRoot Type="Wellknown" Value="06" />
</Signer>
<Signer ID="ID_SIGNER_STANDARD_ROOT_USER" Name="Microsoft Standard Root 2001">
<CertRoot Type="Wellknown" Value="07" />
</Signer>
<Signer ID="ID_SIGNER_CODEVERIFICATION_ROOT_USER" Name="Microsoft Code Verification Root 2006">
<CertRoot Type="Wellknown" Value="08" />
</Signer>
<Signer ID="ID_SIGNER_DMD_ROOT_USER" Name="Microsoft DMDRoot 2005">
<CertRoot Type="Wellknown" Value="0C" />
</Signer>
<Signer ID="ID_SIGNER_FLIGHT_ROOT_USER" Name="Microsoft Flight Root 2014">
<CertRoot Type="Wellknown" Value="0E" />
</Signer>
<Signer ID="ID_SIGNER_STORE" Name="Microsoft MarketPlace PCA 2011">
<CertRoot Type="TBS" Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378" />
<CertEKU ID="ID_EKU_STORE" />
</Signer>
<Signer ID="ID_SIGNER_TEST_ROOT_USER" Name="Microsoft Test Root 2010">
<CertRoot Type="Wellknown" Value="0A" />
</Signer>
<Signer ID="ID_SIGNER_WDATPRESTRICTEXECUTION" Name="WdAtpRestrictExecution - Microsoft Defender for Endpoint Update Signer" >
<CertRoot Type="TBS" Value="75EF3425733343967441E38BB096AE47B59BD39068218EEB5A6769F5FA54D091" />
</Signer>
</Signers>
<SigningScenarios>
<SigningScenario ID="ID_SIGNINGSCENARIO_DRIVERS_1" Value="131">
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_MD5" />
<AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_SHA1" />
<AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT" />
<AllowedSigner SignerId="ID_SIGNER_STANDARD_ROOT" />
<AllowedSigner SignerId="ID_SIGNER_CODEVERIFICATION_ROOT" />
<AllowedSigner SignerId="ID_SIGNER_DMD_ROOT" />
<AllowedSigner SignerId="ID_SIGNER_FLIGHT_ROOT" />
<AllowedSigner SignerId="ID_SIGNER_TEST_ROOT" />
</AllowedSigners>
</ProductSigners>
<TestSigners />
<TestSigningSigners />
</SigningScenario>
<SigningScenario ID="ID_SIGNINGSCENARIO_WINDOWS" Value="12">
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_MD5_USER" />
<AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_SHA1_USER" />
<AllowedSigner SignerId="ID_SIGNER_PRODUCT_ROOT_USER" />
<AllowedSigner SignerId="ID_SIGNER_STANDARD_ROOT_USER" />
<AllowedSigner SignerId="ID_SIGNER_CODEVERIFICATION_ROOT_USER" />
<AllowedSigner SignerId="ID_SIGNER_DMD_ROOT_USER" />
<AllowedSigner SignerId="ID_SIGNER_FLIGHT_ROOT_USER" />
<AllowedSigner SignerId="ID_SIGNER_STORE" />
<AllowedSigner SignerId="ID_SIGNER_TEST_ROOT_USER" />
</AllowedSigners>
</ProductSigners>
<TestSigners />
<TestSigningSigners />
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners>
<UpdatePolicySigner SignerId="ID_SIGNER_WDATPRESTRICTEXECUTION" />
</UpdatePolicySigners>
<CiSigners>
<CiSigner SignerId="ID_SIGNER_STORE" />
</CiSigners>
</SiPolicy>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment