Reputation:
What's the right way to deploy my signed WDAC policy to my test VM?
I'm using Hyper-V VM, Windows 11 22H2, to test signed WDAC policy, specifically the fact that even administrators can't disable/remove it, so I decided to try it out.
I've already successfully deployed unsigned WDAC policy on my host and it works perfectly. but I'm having trouble getting the signed variation to work.
I've checked out this related question and already tried the solution there which was to use the PolicyID of one of the WDAC policy templates from here, in my WDAC policy:
"C:\Windows\schemas\CodeIntegrity\ExamplePolicies"
so I did it, took one of the PolicyIDs from those example XML files and replaced my BasePolicyID and PolicyID with it like this:
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
after a reboot of the VM, Windows no longer loads.
before using that solution, my VM would reboot at least once, but on the 2nd reboot Windows wouldn't load anymore.
I've made a checkpoint prior to deploying it to my VM so I can go back to previous state in seconds. I'm open to any suggestion. that question was from 3 years ago, I thought maybe things have changed now.
there is almost no information about troubleshooting signed WDAC policy or even deploying it, all I found was copy paste of the text from official Microsoft Docs website.
I don't know how Australia does it but kudos to them.
I don't know whether I should add the .cert file I used to create signed WDAC policy, to the VM's certificate store or not, and if I should, which store? I tried trusted CAs store but didn't work.
here is how I made my signed WDAC policy (before applying the solution from the question I linked):
first I created my code signing certificate:
New-SelfSignedCertificate -DnsName test.com -CertStoreLocation Cert:\CurrentUser\My\ -Type Codesigning
then exported it to .cert without private keys and to .pfx with private key.
after that, followed the official Microsoft docs guide and did this:
Add-SignerRule -FilePath "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" -CertificatePath "C:\Users\username\OneDrive\Desktop\certificate.cer" -Kernel -User –Update
Set-RuleOption -FilePath "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" -Option 6 –Delete
$PolicyID= Set-CIPolicyIdInfo -FilePath "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" -ResetPolicyID
$PolicyID = $PolicyID.Substring(11)
$CIPolicyBin = "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\" + $PolicyID + ".cip"
ConvertFrom-CIPolicy "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" $CIPolicyBin
cd "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\"
.\signtool.exe sign -v /n "test.com" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\{3fc72282-501d-482a-906e-a67b66b8fc42}.cip"
but didn't work as mentioned above.
I did the same procedure in order to try the solution from the linked question, with the exception of not running this part:
$PolicyID= Set-CIPolicyIdInfo -FilePath "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" -ResetPolicyID
$PolicyID = $PolicyID.Substring(11)
$CIPolicyBin = "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\" + $PolicyID + ".cip"
ConvertFrom-CIPolicy "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" $CIPolicyBin
and instead swapping the PolicyID and BasePolicyID manually, and then using this command to create the .cip file:
ConvertFrom-CIPolicy "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" "{A244370E-44C9-4C06-B551-F6016E563076}.cip"
I desperately need someone to help me out because I ran out of options to try.
Upvotes: 0
Views: 1058
Answers (1)
Reputation: 679
The best way to deploy signed WDAC (now called App Control) policies is by using the CiTool.exe that's available in Windows 11 starting build 22H2 and in Windows Server 2025 and later. It can be used to deploy signed and unsigned policies. Simply supply it with the path to your .CIP file.
Here is the documentation for it:
Use this syntax in an elevated PowerShell session:
CiTool.exe --update-policy "Path to the CIP file"
If you need more help such as doing everything you're trying to do not via command line but with an app using GUI then check out my open-source and free app called AppControl Manager: https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager
You can use it to create signed/unsigned policies, generate certificates, deploy the signed/unsigned policies and a lot more.
Upvotes: 1
Related Questions
- Windows Defender and handling downloaded PowerShell scripts
- Need to self sign a powershell script to use in the task manager
- creating valid test SSL certificates for IIS
- PowerShell Code Sigining: How to do use a self signed certificate with password protection?
- New-AzureADApplicationKeyCredential using KeyVault-generated self-signed certs
- Running CodeSigned powershell scripts on target machines
- Create a Application in Azure AD with Azure PowerShell Certificate authentication
- PowerShell DSC: Error 22 using certs to encrypt creds in a Service Resource
- Signing powershell scripts?
- Which is the recommended powershell executionpolicy in deployed machine?