This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 9%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIV%3C/text%3E%3C/svg%3E)
Hi all,
I couldn't find an article online that matched what I am talking about, so I thought I'd write this here.
Just wanted to provide my feedback on my experience, when writing a WDAC XML Policy by hand, and the Rule ID format.
Windows 10 20H2 x64 - Azure AD Joined - MEM Enrolled
Firstly, I had an allow rule like this:
<Allow ID="ID_ALLOW_Program-Name" FriendlyName="C:\Program Files\ProgramPath* FileRule" FilePath="C:\Program Files\ProgramPath*" />
But when it came to running this:
ConvertFrom-CIPolicy $XMLFile $BINFile
I would get this error:
ConvertFrom-CIPolicy : The 'RuleID' attribute is invalid - The value 'ID_ALLOW_Program-Name' is invalid according to its datatype 'urn:schemas-microsoft-com:sipolicy:RuleIdType' - The Pattern constraint failed.
At line:1 char:1
So after reviewing an auto created XML file, and the rules within, I tried writing it like this:
Upper Case: <Allow ID="ID_ALLOW_PROGRAM-NAME" FriendlyName="C:\Program Files\ProgramPath* FileRule" FilePath="C:\Program Files\ProgramPath*" />
Which still failed.
But this rule worked:
<Allow ID="ID_ALLOW_PROGRAM_NAME" FriendlyName="C:\Program Files\ProgramPath* FileRule" FilePath="C:\Program Files\ProgramPath*" />
So it appears that Dashes are not allowed.
But then I came across another restriction:
<Allow ID="ID_ALLOW_7ZIP" FriendlyName="C:\Program Files\7-Zip* FileRule" FilePath="C:\Program Files\7-Zip*" />
Which had the same error, but this worked:
<Allow ID="ID_ALLOW_SEVENZIP" FriendlyName="C:\Program Files\7-Zip* FileRule" FilePath="C:\Program Files\7-Zip*" />
So there appears to be restrictions on using a Digit directly inside the 'name' portion, even though auto rules use digits at the end.
Anyway, just wanted to throw that out there.
Happy deploying!
Hi,
If you come back, remember to accept your reply as answer. It will be helpful to other members who have same questions posting appropriately.
@Ian V
Hi,
Thanks for your posting here and sharing the resolution in the community as it be helpful to anyone who encounters similar issues.
If possible, please send a reply then help to "accept your reply as answer". It would make this reply easier to be found for other people who has the similar problem.
Thank you for your cooperation.