New-CIPolicyRule
Generates Code Integrity policy rules for drivers.
Syntax
New-CIPolicyRule
[-DriverFiles <DriverFile[]>]
-Level <RuleLevel>
[-Fallback <RuleLevel[]>]
[-Deny]
[-ScriptFileNames]
[<CommonParameters>] New-CIPolicyRule
-DriverFilePath <String>
-Level <RuleLevel>
[-Fallback <RuleLevel[]>]
[-Deny]
[-ScriptFileNames]
[<CommonParameters>] New-CIPolicyRule
-FilePathRule <String>
[-Deny]
[-ScriptFileNames]
[<CommonParameters>] Description
The New-CIPolicyRule cmdlet generates Code Integrity policy rules for drivers. Specify a rule level and an array of DriverFile objects or the path of a driver.
Examples
Example 1: Create policy rules for drivers
PS C:\> $DriverFiles = Get-SystemDriver -ScanPath '.\temp\' -OmitPaths '.\temp\ConfigCITestBinaries' -NoScript
PS C:\> New-CIPolicyRule -Level FileName -DriverFiles $DriverFiles
Scan completed successfully
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll FileRule
Id : ID_ALLOW_A_1
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.Tests.dll FileRule
Id : ID_ALLOW_A_3
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.PackageInspector.Tests.dll FileRule
Id : ID_ALLOW_A_5
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : FalseThe first command gets drivers by using the Get-SystemDriver cmdlet, and then stores them in the $DriverFiles variable.
The second command creates policy rules at the file name level for the drivers in $DriverList. For this example, we present only the first few rules.
Example 2: Create policy rules for drivers and include a fallback value
PS C:\> New-CIPolicyRule -Level Publisher -Fallback Hash -DriverFiles $DriverFiles
"Scan completed successfully"
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll Hash Sha1
Id : ID_ALLOW_A_F
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll Hash Sha256
Id : ID_ALLOW_A_10
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll Hash Page Sha1
Id : ID_ALLOW_A_11
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : FalseThis command generates rule at the Publisher level for the same drivers from the previous example. For files that are unsigned, the cmdlet creates Hash rules, as a fallback. For this example, we present only the first few rules.
Example 3: Specify a policy rule for a kernel component
PS C:\> New-CIPolicyRule -DriverFilePath '.\temp\ConfigCITestBinaries\ci.dll' -Level Publisher
Scan completed successfully
Name : MSIT Test CodeSign CA 3
Id : ID_SIGNER_S_B
TypeId : Allow
Root : FA6B9A2230CE08BCA81D096B28CF495672401D3A43A0D285CF352464A6C9C7FD
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : MSIT Test CodeSign CA 3
Id : ID_SIGNER_S_C
TypeId : Allow
Root : FA6B9A2230CE08BCA81D096B28CF495672401D3A43A0D285CF352464A6C9C7FD
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : TrueThis command generates a publisher rule for the specific file named ci.dll. The file ci.dll is a kernel component. Therefore, the cmdlet generates both a kernel rule and a user mode rule.
Example 4: Specify a policy rule for a folder path with wildcards
PS C:\> New-CIPolicyRule -FilePathRule '.\temp\ConfigCITestBinaries\*'
Name : .\temp\ConfigCITestBinaries\* FileRule
Id : ID_ALLOW_A_1
TypeId : Allow
Root :
FileVersionRef :
AppIDRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : True
attributes : {[AppIDs, ], [MinimumFileVersion, 0.0.0.0], [FilePath, .\temp\ConfigCITestBinaries\*]}This command generates a filepath rule for the specific path verbatim string. This will allow anything in the parent folder.
Parameters
-Deny
Indicates that this cmdlet creates deny rules instead of the default allow rules.
| Type: | SwitchParameter |
| Aliases: | d |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DriverFilePath
Specifies the path of a driver on which this cmdlet bases a rule.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DriverFiles
Specifies an array of DriverFile objects on which this cmdlet bases rules. To obtain a driver file, use the Get-SystemDriver cmdlet.
| Type: | DriverFile[] |
| Aliases: | df |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Fallback
Specifies an array of levels of detail for generated rules. If this cmdlet cannot generate a rule at the specified level, this cmdlet attempts to generate it at a fallback level. The acceptable values for this parameter are the same as for the Level parameter. If you specify multiple fallback levels, this cmdlet tries them in order.
| Type: | RuleLevel[] |
| Accepted values: | None, Hash, FileName, FilePath, SignedVersion, PFN, Publisher, FilePublisher, LeafCertificate, PcaCertificate, RootCertificate, WHQL, WHQLPublisher, WHQLFilePublisher |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-FilePathRule
Specifies the path of a folder for generating a rule with level set to FilePath. Refer to Filepath Rules Info for acceptable wildcard values and usage. This cmdlet will not check whether the filepath string is a valid filepath.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | True |
-Level
Specifies the primary level of detail for generated rules. Refer to WDAC File Rule Levels for acceptable parameter values and descriptions.
| Type: | RuleLevel |
| Aliases: | l |
| Accepted values: | None, Hash, FileName, FilePath, SignedVersion, PFN, Publisher, FilePublisher, LeafCertificate, PcaCertificate, RootCertificate, WHQL, WHQLPublisher, WHQLFilePublisher |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ScriptFileNames
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SpecificFileNameLevel
Specifies the attribute of the file off which to base a file name rule. Refer to File Name Rules Info for a description of the acceptable values.
| Type: | SwitchParameter |
| Accepted values: | None, OriginalFileName, InternalName, FileDescription, ProductName, PackageFamilyName |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Outputs
Rule
This cmdlet returns the rules that it creates.
Related Links
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for