New-CIPolicyRule
Generates Code Integrity policy rules for user mode code and drivers.
New-CIPolicyRule
[-DriverFiles <DriverFile[]>]
-Level <RuleLevel>
[-Fallback <RuleLevel[]>]
[-Deny]
[-ScriptFileNames]
[-AllowFileNameFallbacks]
[-SpecificFileNameLevel <FileNameLevel>]
[-UserWriteablePaths]
[<CommonParameters>]
New-CIPolicyRule
-DriverFilePath <String[]>
[-AppID <String>]
-Level <RuleLevel>
[-Fallback <RuleLevel[]>]
[-Deny]
[-ScriptFileNames]
[-AllowFileNameFallbacks]
[-SpecificFileNameLevel <FileNameLevel>]
[-UserWriteablePaths]
[<CommonParameters>]
New-CIPolicyRule
[-Fallback <RuleLevel[]>]
[-Deny]
[-ScriptFileNames]
[-AllowFileNameFallbacks]
[-SpecificFileNameLevel <FileNameLevel>]
[-UserWriteablePaths]
[-Package <AppxPackage>]
[<CommonParameters>]
New-CIPolicyRule
[-Fallback <RuleLevel[]>]
[-Deny]
[-ScriptFileNames]
[-AllowFileNameFallbacks]
[-SpecificFileNameLevel <FileNameLevel>]
[-UserWriteablePaths]
[-FilePathRule <String>]
[<CommonParameters>]
The New-CIPolicyRule cmdlet generates Code Integrity policy rules for drivers. Specify a rule level and an array of DriverFile objects or the path of a driver.
PS C:\> $DriverFiles = Get-SystemDriver -ScanPath '.\temp\' -UserPEs -OmitPaths '.\temp\ConfigCITestBinaries' -NoScript
PS C:\> New-CIPolicyRule -Level FileName -DriverFiles $DriverFiles
Scan completed successfully
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll FileRule
Id : ID_ALLOW_A_1
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.Tests.dll FileRule
Id : ID_ALLOW_A_3
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.PackageInspector.Tests.dll FileRule
Id : ID_ALLOW_A_5
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
The first command gets drivers by using the Get-SystemDriver cmdlet, and then stores them in the $DriverFiles variable.
The second command creates policy rules at the file name level for the drivers in $DriverList. For this example, we present only the first few rules.
PS C:\> New-CIPolicyRule -Level Publisher -Fallback Hash -DriverFiles $DriverFiles
"Scan completed successfully"
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll Hash Sha1
Id : ID_ALLOW_A_F
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll Hash Sha256
Id : ID_ALLOW_A_10
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll Hash Page Sha1
Id : ID_ALLOW_A_11
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
This command generates rule at the Publisher level for the same drivers from the previous example. For files that are unsigned, the cmdlet creates Hash rules, as a fallback. For this example, we present only the first few rules.
PS C:\> New-CIPolicyRule -DriverFilePath '.\temp\ConfigCITestBinaries\ci.dll' -Level Publisher
Scan completed successfully
Name : MSIT Test CodeSign CA 3
Id : ID_SIGNER_S_B
TypeId : Allow
Root : FA6B9A2230CE08BCA81D096B28CF495672401D3A43A0D285CF352464A6C9C7FD
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : MSIT Test CodeSign CA 3
Id : ID_SIGNER_S_C
TypeId : Allow
Root : FA6B9A2230CE08BCA81D096B28CF495672401D3A43A0D285CF352464A6C9C7FD
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : True
This command generates a publisher rule for the specific file named ci.dll. The file ci.dll is a kernel component. Therefore, the cmdlet generates both a kernel rule and a user mode rule.
PS C:\> New-CIPolicyRule -FilePathRule '.\temp\ConfigCITestBinaries\*'
Name : .\temp\ConfigCITestBinaries\* FileRule
Id : ID_ALLOW_A_1
TypeId : Allow
Root :
FileVersionRef :
AppIDRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : True
attributes : {[AppIDs, ], [MinimumFileVersion, 0.0.0.0], [FilePath, .\temp\ConfigCITestBinaries\*]}
This command generates a filepath rule for the specific path verbatim string. This will allow anything in the parent folder.
PS C:\> $packages = Get-AppxPackage -Name *Microsoft*
PS C:\> $packages
Name : Microsoft.NET.Native.Runtime.1.4
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture : X86
ResourceId :
Version : 1.4.24201.0
PackageFullName : Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe
InstallLocation : C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe
IsFramework : True
PackageFamilyName : Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe
PublisherId : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle : False
IsDevelopmentMode : False
NonRemovable : False
IsPartiallyStaged : False
SignatureKind : Store
Status : Ok
...
Name : Microsoft.NET.Native.Runtime.1.4
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture : X64
ResourceId :
Version : 1.4.24201.0
PackageFullName : Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe
InstallLocation : C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe
IsFramework : True
PackageFamilyName : Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe
PublisherId : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle : False
IsDevelopmentMode : False
NonRemovable : False
IsPartiallyStaged : False
SignatureKind : Store
Status : Ok
$package_dependencies = $packages.Dependencies
$package_rule = New-CIPolicyRule -Package $packages[0] #repeat for all desired packages in the array
$package_rule += New-CIPolicyRule -Package $package_dependencies[0] # repeat for all dependencies in the array
$package_rule
Name : Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe FileRule
Id : ID_ALLOW_A_1
TypeId : Allow
Root :
FileVersionRef :
AppIDRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : True
attributes : {[AppIDs, ], [MinimumFileVersion, 0.0.0.0], [PackageFamilyName,
Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe], [PackageVersion, 1.4.24201.0]}
Name : Microsoft.NET.Native.Framework.2.2_8wekyb3d8bbwe FileRule
Id : ID_ALLOW_A_2
TypeId : Allow
Root :
FileVersionRef :
AppIDRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : True
attributes : {[AppIDs, ], [MinimumFileVersion, 0.0.0.0], [PackageFamilyName,
Microsoft.NET.Native.Framework.2.2_8wekyb3d8bbwe], [PackageVersion, 2.2.29512.0]}
This set of commands finds a packaged application matching the specified name and generates an allow rule for the packaged application and its dependencies.
Indicates that files that do not have an OriginalFileName
fall back in the following order:
- InternalName
- FileDescription
- ProductName
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies an app. This cmdlet creates per-app rules which control whether specific plug-ins, add-ins, and modules can run from specific apps.
For more information, see Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Indicates that this cmdlet creates deny rules instead of the default allow rules.
Type: | SwitchParameter |
Aliases: | d |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the path of a driver on which this cmdlet bases a rule.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies an array of DriverFile objects on which this cmdlet bases rules. To obtain a driver file, use the Get-SystemDriver cmdlet.
Type: | DriverFile[] |
Aliases: | df |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Specifies an array of levels of detail for generated rules. If this cmdlet cannot generate a rule at the specified level, this cmdlet attempts to generate it at a fallback level. The acceptable values for this parameter are the same as for the Level parameter. If you specify multiple fallback levels, this cmdlet tries them in order.
Type: | RuleLevel[] |
Accepted values: | None, Hash, FileName, FilePath, SignedVersion, PFN, Publisher, FilePublisher, LeafCertificate, PcaCertificate, RootCertificate, WHQL, WHQLPublisher, WHQLFilePublisher |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the path of a folder for generating a rule with level set to FilePath. Refer to Filepath Rules Info for acceptable wildcard values and usage. This cmdlet will not check whether the filepath string is a valid filepath.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | True |
Specifies the primary level of detail for generated rules. Refer to WDAC File Rule Levels for acceptable parameter values and descriptions.
Type: | RuleLevel |
Aliases: | l |
Accepted values: | None, Hash, FileName, FilePath, SignedVersion, PFN, Publisher, FilePublisher, LeafCertificate, PcaCertificate, RootCertificate, WHQL, WHQLPublisher, WHQLFilePublisher |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the packaged app (MSIX/Appx) to base the rule.
Type: | AppxPackage |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the attribute of the file off which to base a file name rule. The -Level must be set to FileName for this option. Refer to File Name Rules Info for a description of the acceptable values.
Type: | FileNameLevel |
Accepted values: | None, OriginalFileName, InternalName, FileDescription, ProductName, PackageFamilyName |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Indicates that this cmdlet includes files identified as user writeable in the policy.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Rule
This cmdlet returns the rules that it creates.