Hi all,
I couldn't find an article online that matched what I am talking about, so I thought I'd write this here.
Just wanted to provide my feedback on my experience, when writing a WDAC XML Policy by hand, and the Rule ID format.
Windows 10 20H2 x64 - Azure AD Joined - MEM Enrolled
Firstly, I had an allow rule like this:
<Allow ID="ID_ALLOW_Program-Name" FriendlyName="C:\Program Files\ProgramPath* FileRule" FilePath="C:\Program Files\ProgramPath*" />
But when it came to running this:
ConvertFrom-CIPolicy $XMLFile $BINFile
I would get this error:
ConvertFrom-CIPolicy : The 'RuleID' attribute is invalid - The value 'ID_ALLOW_Program-Name' is invalid according to its datatype 'urn:schemas-microsoft-com:sipolicy:RuleIdType' - The Pattern constraint failed.
At line:1 char:1
- ConvertFrom-CIPolicy $XMLFile $BINFile ...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : ParserError: (Microsoft.Secur...CIPolicyCommand:ConvertFromCIPolicyCommand) [ConvertFrom-CIPolicy], CIPolicyException
- FullyQualifiedErrorId : InvalidPolicyFile,Microsoft.SecureBoot.UserConfig.ConvertFromCIPolicyCommand
So after reviewing an auto created XML file, and the rules within, I tried writing it like this:
Upper Case: <Allow ID="ID_ALLOW_PROGRAM-NAME" FriendlyName="C:\Program Files\ProgramPath* FileRule" FilePath="C:\Program Files\ProgramPath*" />
Which still failed.
But this rule worked:
<Allow ID="ID_ALLOW_PROGRAM_NAME" FriendlyName="C:\Program Files\ProgramPath* FileRule" FilePath="C:\Program Files\ProgramPath*" />
So it appears that Dashes are not allowed.
But then I came across another restriction:
<Allow ID="ID_ALLOW_7ZIP" FriendlyName="C:\Program Files\7-Zip* FileRule" FilePath="C:\Program Files\7-Zip*" />
Which had the same error, but this worked:
<Allow ID="ID_ALLOW_SEVENZIP" FriendlyName="C:\Program Files\7-Zip* FileRule" FilePath="C:\Program Files\7-Zip*" />
So there appears to be restrictions on using a Digit directly inside the 'name' portion, even though auto rules use digits at the end.
Anyway, just wanted to throw that out there.
Happy deploying!