New-CIPolicyRule
Generates Code Integrity policy rules for user mode code and drivers.
Syntax
New-CIPolicyRule
[-DriverFiles <DriverFile[]>]
-Level <RuleLevel>
[-Fallback <RuleLevel[]>]
[-Deny]
[-ScriptFileNames]
[-AllowFileNameFallbacks]
[-SpecificFileNameLevel <FileNameLevel>]
[-UserWriteablePaths]
[<CommonParameters>] New-CIPolicyRule
-DriverFilePath <String[]>
[-AppID <String>]
-Level <RuleLevel>
[-Fallback <RuleLevel[]>]
[-Deny]
[-ScriptFileNames]
[-AllowFileNameFallbacks]
[-SpecificFileNameLevel <FileNameLevel>]
[-UserWriteablePaths]
[<CommonParameters>] New-CIPolicyRule
[-Fallback <RuleLevel[]>]
[-Deny]
[-ScriptFileNames]
[-AllowFileNameFallbacks]
[-SpecificFileNameLevel <FileNameLevel>]
[-UserWriteablePaths]
[-Package <AppxPackage>]
[<CommonParameters>] New-CIPolicyRule
[-Fallback <RuleLevel[]>]
[-Deny]
[-ScriptFileNames]
[-AllowFileNameFallbacks]
[-SpecificFileNameLevel <FileNameLevel>]
[-UserWriteablePaths]
[-FilePathRule <String>]
[<CommonParameters>] Description
The New-CIPolicyRule cmdlet generates Code Integrity policy rules for drivers. Specify a rule level and an array of DriverFile objects or the path of a driver.
Examples
Example 1: Create policy rules for drivers
PS C:\> $DriverFiles = Get-SystemDriver -ScanPath '.\temp\' -UserPEs -OmitPaths '.\temp\ConfigCITestBinaries' -NoScript
PS C:\> New-CIPolicyRule -Level FileName -DriverFiles $DriverFiles
Scan completed successfully
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll FileRule
Id : ID_ALLOW_A_1
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.Tests.dll FileRule
Id : ID_ALLOW_A_3
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.PackageInspector.Tests.dll FileRule
Id : ID_ALLOW_A_5
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : FalseThe first command gets drivers by using the Get-SystemDriver cmdlet, and then stores them in the $DriverFiles variable.
The second command creates policy rules at the file name level for the drivers in $DriverList. For this example, we present only the first few rules.
Example 2: Create policy rules for drivers and include a fallback value
PS C:\> New-CIPolicyRule -Level Publisher -Fallback Hash -DriverFiles $DriverFiles
"Scan completed successfully"
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll Hash Sha1
Id : ID_ALLOW_A_F
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll Hash Sha256
Id : ID_ALLOW_A_10
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : \\?\E:\cmdlets\temp\Microsoft.ConfigCI.Commands.dll Hash Page Sha1
Id : ID_ALLOW_A_11
TypeId : Allow
Root :
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : FalseThis command generates rule at the Publisher level for the same drivers from the previous example. For files that are unsigned, the cmdlet creates Hash rules, as a fallback. For this example, we present only the first few rules.
Example 3: Specify a policy rule for a kernel component
PS C:\> New-CIPolicyRule -DriverFilePath '.\temp\ConfigCITestBinaries\ci.dll' -Level Publisher
Scan completed successfully
Name : MSIT Test CodeSign CA 3
Id : ID_SIGNER_S_B
TypeId : Allow
Root : FA6B9A2230CE08BCA81D096B28CF495672401D3A43A0D285CF352464A6C9C7FD
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : False
Name : MSIT Test CodeSign CA 3
Id : ID_SIGNER_S_C
TypeId : Allow
Root : FA6B9A2230CE08BCA81D096B28CF495672401D3A43A0D285CF352464A6C9C7FD
FileVersionRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : TrueThis command generates a publisher rule for the specific file named ci.dll. The file ci.dll is a kernel component. Therefore, the cmdlet generates both a kernel rule and a user mode rule.
Example 4: Specify a policy rule for a folder path with wildcards
PS C:\> New-CIPolicyRule -FilePathRule '.\temp\ConfigCITestBinaries\*'
Name : .\temp\ConfigCITestBinaries\* FileRule
Id : ID_ALLOW_A_1
TypeId : Allow
Root :
FileVersionRef :
AppIDRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : True
attributes : {[AppIDs, ], [MinimumFileVersion, 0.0.0.0], [FilePath, .\temp\ConfigCITestBinaries\*]}This command generates a filepath rule for the specific path verbatim string. This will allow anything in the parent folder.
Example 5: Create a policy rule for a packaged application and its dependencies
PS C:\> $packages = Get-AppxPackage -Name *Microsoft*
PS C:\> $packages
Name : Microsoft.NET.Native.Runtime.1.4
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture : X86
ResourceId :
Version : 1.4.24201.0
PackageFullName : Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe
InstallLocation : C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe
IsFramework : True
PackageFamilyName : Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe
PublisherId : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle : False
IsDevelopmentMode : False
NonRemovable : False
IsPartiallyStaged : False
SignatureKind : Store
Status : Ok
...
Name : Microsoft.NET.Native.Runtime.1.4
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture : X64
ResourceId :
Version : 1.4.24201.0
PackageFullName : Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe
InstallLocation : C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe
IsFramework : True
PackageFamilyName : Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe
PublisherId : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle : False
IsDevelopmentMode : False
NonRemovable : False
IsPartiallyStaged : False
SignatureKind : Store
Status : Ok
$package_dependencies = $packages.Dependencies
$package_rule = New-CIPolicyRule -Package $packages[0] #repeat for all desired packages in the array
$package_rule += New-CIPolicyRule -Package $package_dependencies[0] # repeat for all dependencies in the array
$package_rule
Name : Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe FileRule
Id : ID_ALLOW_A_1
TypeId : Allow
Root :
FileVersionRef :
AppIDRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : True
attributes : {[AppIDs, ], [MinimumFileVersion, 0.0.0.0], [PackageFamilyName,
Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe], [PackageVersion, 1.4.24201.0]}
Name : Microsoft.NET.Native.Framework.2.2_8wekyb3d8bbwe FileRule
Id : ID_ALLOW_A_2
TypeId : Allow
Root :
FileVersionRef :
AppIDRef :
Wellknown : False
Ekus :
Exceptions :
FileAttributes :
FileException : False
UserMode : True
attributes : {[AppIDs, ], [MinimumFileVersion, 0.0.0.0], [PackageFamilyName,
Microsoft.NET.Native.Framework.2.2_8wekyb3d8bbwe], [PackageVersion, 2.2.29512.0]}This set of commands finds a packaged application matching the specified name and generates an allow rule for the packaged application and its dependencies.
Parameters
-AllowFileNameFallbacks
Indicates that files that do not have an OriginalFileName fall back in the following order:
- InternalName
- FileDescription
- ProductName
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AppID
Specifies an app. This cmdlet creates per-app rules which control whether specific plug-ins, add-ins, and modules can run from specific apps.
For more information, see Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Deny
Indicates that this cmdlet creates deny rules instead of the default allow rules.
| Type: | SwitchParameter |
| Aliases: | d |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DriverFilePath
Specifies the path of a driver on which this cmdlet bases a rule.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DriverFiles
Specifies an array of DriverFile objects on which this cmdlet bases rules. To obtain a driver file, use the Get-SystemDriver cmdlet.
| Type: | DriverFile[] |
| Aliases: | df |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Fallback
Specifies an array of levels of detail for generated rules. If this cmdlet cannot generate a rule at the specified level, this cmdlet attempts to generate it at a fallback level. The acceptable values for this parameter are the same as for the Level parameter. If you specify multiple fallback levels, this cmdlet tries them in order.
| Type: | RuleLevel[] |
| Accepted values: | None, Hash, FileName, FilePath, SignedVersion, PFN, Publisher, FilePublisher, LeafCertificate, PcaCertificate, RootCertificate, WHQL, WHQLPublisher, WHQLFilePublisher |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-FilePathRule
Specifies the path of a folder for generating a rule with level set to FilePath. Refer to Filepath Rules Info for acceptable wildcard values and usage. This cmdlet will not check whether the filepath string is a valid filepath.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | True |
-Level
Specifies the primary level of detail for generated rules. Refer to WDAC File Rule Levels for acceptable parameter values and descriptions.
| Type: | RuleLevel |
| Aliases: | l |
| Accepted values: | None, Hash, FileName, FilePath, SignedVersion, PFN, Publisher, FilePublisher, LeafCertificate, PcaCertificate, RootCertificate, WHQL, WHQLPublisher, WHQLFilePublisher |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Package
Specifies the packaged app (MSIX/Appx) to base the rule.
| Type: | AppxPackage |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ScriptFileNames
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SpecificFileNameLevel
Specifies the attribute of the file off which to base a file name rule. The -Level must be set to FileName for this option. Refer to File Name Rules Info for a description of the acceptable values.
| Type: | FileNameLevel |
| Accepted values: | None, OriginalFileName, InternalName, FileDescription, ProductName, PackageFamilyName |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UserWriteablePaths
Indicates that this cmdlet includes files identified as user writeable in the policy.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Outputs
Rule
This cmdlet returns the rules that it creates.