ACSC E8 Nov 2023-ML1 App control-Audit

Overview:

The Devicie Essential Eight Maturity Level 1 Application Control (Audit) (Nov 2023) configuration is to meet the Australian Cyber Security Centre’s guidance for this mitigation strategy.

Intune Description:

E8 ML1 App Control (Audit) (Nov 2023)

Scope:

This baseline should be applied to Windows devices.

Policy Impact Areas:

When deployed, this policy will impact:

Enforcing Application Control, in audit mode

Deployment Notes

Pre-Deployment Considerations:
- Review existing any other application control products or configurations in use
- Prepare for log review, to move towards implementing Block controls
- Do not assign Block and Audit policies to the same group
Post-Deployment Validation:
- Verify application control logs

Configuration Settings:

Name	Value
Configuration settings format	Enter xml data
App Control for Business policy	<?xml version="1.0" encoding="utf-8"?> <SiPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" PolicyType="Base Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> <VersionEx>10.0.0.5</VersionEx> <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> <PolicyID>{4BC542CF-B192-4796-AEC8-C1275E5030E1}</PolicyID> <BasePolicyID>{4BC542CF-B192-4796-AEC8-C1275E5030E1}</BasePolicyID> <Rules> <Rule> <Option>Enabled:Unsigned System Integrity Policy</Option> </Rule> <Rule> <Option>Enabled:Advanced Boot Options Menu</Option> </Rule> <Rule> <Option>Enabled:UMCI</Option> </Rule> <Rule> <Option>Enabled:Inherit Default Policy</Option> </Rule> <Rule> <Option>Enabled:Update Policy No Reboot</Option> </Rule> <Rule> <Option>Enabled:Dynamic Code Security</Option> </Rule> <Rule> <Option>Enabled:Revoked Expired As Unsigned</Option> </Rule> <Rule> <Option>Enabled:Allow Supplemental Policies</Option> </Rule> <Rule> <Option>Enabled:Managed Installer</Option> </Rule> <Rule> <Option>Required:Enforce Store Applications</Option> </Rule> <Rule> <Option>Enabled:Boot Audit On Failure</Option> </Rule> <Rule> <Option>Enabled:Audit Mode</Option> </Rule> </Rules> <EKUs> <EKU ID="ID_EKU_WINDOWS" Value="010A2B0601040182370A0306" FriendlyName="Windows EKU - 1.3.6.1.4.1.311.10.3.6" /> <EKU ID="ID_EKU_ELAM" Value="010A2B0601040182373D0401" FriendlyName="Early Launch AntiMalware EKU - 1.3.6.1.4.1.311.61.4.1" /> <EKU ID="ID_EKU_HAL_EXT" Value="010A2B0601040182373D0501" FriendlyName="Hardware Abstraction Layer EKU - 1.3.6.1.4.1.311.61.5.1" /> <EKU ID="ID_EKU_WHQL" Value="010A2B0601040182370A0305" FriendlyName="WHQL EKU - 1.3.6.1.4.1.311.10.3.5" /> <EKU ID="ID_EKU_STORE" Value="010A2B0601040182374C0301" FriendlyName="Windows Store EKU - 1.3.6.1.4.1.311.76.3.1" /> <EKU ID="ID_EKU_RT_EXT" Value="010A2B0601040182370A0315" FriendlyName="Windows RT EKU - 1.3.6.1.4.1.311.10.3.21" /> <EKU ID="ID_EKU_DCODEGEN" Value="010A2B0601040182374C0501" FriendlyName="Dynamic Code Generation EKU - 1.3.6.1.4.1.311.76.5.1" /> <EKU ID="ID_EKU_AM" Value="010A2B0601040182374C0B01" FriendlyName="AntiMalware EKU - 1.3.6.1.4.1.311.76.11.1" /> <EKU ID="ID_EKU_ENCLAVE" Value="010A2B0601040182370A032A" FriendlyName="Enclave EKU - 1.3.6.1.4.1.311.10.3.42" /> </EKUs> <FileRules> <Allow ID="ID_ALLOW_ALL" FriendlyName="Allow all files" FileName="" /> <FileAttrib ID="ID_FILEATTRIB_REFRESH_POLICY" FriendlyName="RefreshPolicy.exe FileAttribute" FileName="RefreshPolicy.exe" MinimumFileVersion="10.0.19042.0" /> <FileAttrib ID="ID_FILEATTRIB_A_1" FriendlyName="Allow files based on file attributes: Allowlisting Auditor" ProductName="Allowlisting Auditor" /> <Allow ID="ID_ALLOW_ALL_PATHS" FriendlyName="Allow all paths" FilePath="" /> <Deny ID="ID_DENY_A_1" FriendlyName="hh.exe" FileName="HH.exe" /> </FileRules> <Signers> <Signer Name="Microsoft Product Root 2010 Windows EKU" ID="ID_SIGNER_WINDOWS_PRODUCTION"> <CertRoot Type="Wellknown" Value="06" /> <CertEKU ID="ID_EKU_WINDOWS" /> </Signer> <Signer Name="Microsoft Product Root 2010 ELAM EKU" ID="ID_SIGNER_ELAM_PRODUCTION"> <CertRoot Type="Wellknown" Value="06" /> <CertEKU ID="ID_EKU_ELAM" /> </Signer> <Signer Name="Microsoft Product Root 2010 HAL EKU" ID="ID_SIGNER_HAL_PRODUCTION"> <CertRoot Type="Wellknown" Value="06" /> <CertEKU ID="ID_EKU_HAL_EXT" /> </Signer> <Signer Name="Microsoft Product Root 2010 WHQL EKU" ID="ID_SIGNER_WHQL_SHA2"> <CertRoot Type="Wellknown" Value="06" /> <CertEKU ID="ID_EKU_WHQL" /> </Signer> <Signer Name="Microsoft Product Root WHQL EKU SHA1" ID="ID_SIGNER_WHQL_SHA1"> <CertRoot Type="Wellknown" Value="05" /> <CertEKU ID="ID_EKU_WHQL" /> </Signer> <Signer Name="Microsoft Product Root WHQL EKU MD5" ID="ID_SIGNER_WHQL_MD5"> <CertRoot Type="Wellknown" Value="04" /> <CertEKU ID="ID_EKU_WHQL" /> </Signer> <Signer Name="Microsoft Flighting Root 2014 Windows EKU" ID="ID_SIGNER_WINDOWS_FLIGHT_ROOT"> <CertRoot Type="Wellknown" Value="0E" /> <CertEKU ID="ID_EKU_WINDOWS" /> </Signer> <Signer Name="Microsoft Flighting Root 2014 ELAM EKU" ID="ID_SIGNER_ELAM_FLIGHT"> <CertRoot Type="Wellknown" Value="0E" /> <CertEKU ID="ID_EKU_ELAM" /> </Signer> <Signer Name="Microsoft Flighting Root 2014 HAL EKU" ID="ID_SIGNER_HAL_FLIGHT"> <CertRoot Type="Wellknown" Value="0E" /> <CertEKU ID="ID_EKU_HAL_EXT" /> </Signer> <Signer Name="Microsoft Flighting Root 2014 WHQL EKU" ID="ID_SIGNER_WHQL_FLIGHT_SHA2"> <CertRoot Type="Wellknown" Value="0E" /> <CertEKU ID="ID_EKU_WHQL" /> </Signer> <Signer Name="MincryptKnownRootMicrosoftTestRoot2010" ID="ID_SIGNER_TEST2010"> <CertRoot Type="Wellknown" Value="0A" /> </Signer> <Signer Name="Microsoft Product Root 2010 Windows EKU" ID="ID_SIGNER_WINDOWS_PRODUCTION_USER"> <CertRoot Type="Wellknown" Value="06" /> <CertEKU ID="ID_EKU_WINDOWS" /> </Signer> <Signer Name="Microsoft Product Root 2010 ELAM EKU" ID="ID_SIGNER_ELAM_PRODUCTION_USER"> <CertRoot Type="Wellknown" Value="06" /> <CertEKU ID="ID_EKU_ELAM" /> </Signer> <Signer Name="Microsoft Product Root 2010 HAL EKU" ID="ID_SIGNER_HAL_PRODUCTION_USER"> <CertRoot Type="Wellknown" Value="06" /> <CertEKU ID="ID_EKU_HAL_EXT" /> </Signer> <Signer Name="Microsoft Product Root 2010 WHQL EKU" ID="ID_SIGNER_WHQL_SHA2_USER"> <CertRoot Type="Wellknown" Value="06" /> <CertEKU ID="ID_EKU_WHQL" /> </Signer> <Signer Name="Microsoft Product Root WHQL EKU SHA1" ID="ID_SIGNER_WHQL_SHA1_USER"> <CertRoot Type="Wellknown" Value="05" /> <CertEKU ID="ID_EKU_WHQL" /> </Signer> <Signer Name="Microsoft Product Root WHQL EKU MD5" ID="ID_SIGNER_WHQL_MD5_USER"> <CertRoot Type="Wellknown" Value="04" /> <CertEKU ID="ID_EKU_WHQL" /> </Signer> <Signer Name="Microsoft Flighting Root 2014 Windows EKU" ID="ID_SIGNER_WINDOWS_FLIGHT_ROOT_USER"> <CertRoot Type="Wellknown" Value="0E" /> <CertEKU ID="ID_EKU_WINDOWS" /> </Signer> <Signer Name="Microsoft Flighting Root 2014 ELAM EKU" ID="ID_SIGNER_ELAM_FLIGHT_USER"> <CertRoot Type="Wellknown" Value="0E" /> <CertEKU ID="ID_EKU_ELAM" /> </Signer> <Signer Name="Microsoft Flighting Root 2014 HAL EKU" ID="ID_SIGNER_HAL_FLIGHT_USER"> <CertRoot Type="Wellknown" Value="0E" /> <CertEKU ID="ID_EKU_HAL_EXT" /> </Signer> <Signer Name="Microsoft Flighting Root 2014 WHQL EKU" ID="ID_SIGNER_WHQL_FLIGHT_SHA2_USER"> <CertRoot Type="Wellknown" Value="0E" /> <CertEKU ID="ID_EKU_WHQL" /> </Signer> <Signer Name="Microsoft MarketPlace PCA 2011" ID="ID_SIGNER_STORE"> <CertRoot Type="TBS" Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378" /> <CertEKU ID="ID_EKU_STORE" /> </Signer> <Signer Name="Microsoft Flighting Root 2014 Store EKU" ID="ID_SIGNER_STORE_FLIGHT_ROOT"> <CertRoot Type="Wellknown" Value="0E" /> <CertEKU ID="ID_EKU_STORE" /> </Signer> <Signer Name="Microsoft Product Root 2010 RT EKU" ID="ID_SIGNER_RT_PRODUCTION"> <CertRoot Type="Wellknown" Value="06" /> <CertEKU ID="ID_EKU_RT_EXT" /> </Signer> <Signer Name="MincryptKnownRootMicrosoftDMDRoot2005" ID="ID_SIGNER_DRM"> <CertRoot Type="Wellknown" Value="0C" /> </Signer> <Signer Name="MincryptKnownRootMicrosoftProductRoot2010" ID="ID_SIGNER_DCODEGEN"> <CertRoot Type="Wellknown" Value="06" /> <CertEKU ID="ID_EKU_DCODEGEN" /> </Signer> <Signer Name="MincryptKnownRootMicrosoftStandardRoot2011" ID="ID_SIGNER_AM"> <CertRoot Type="Wellknown" Value="07" /> <CertEKU ID="ID_EKU_AM" /> </Signer> <Signer Name="Microsoft Flighting Root 2014 RT EKU" ID="ID_SIGNER_RT_FLIGHT"> <CertRoot Type="Wellknown" Value="0E" /> <CertEKU ID="ID_EKU_RT_EXT" /> </Signer> <Signer Name="Microsoft Standard Root 2011 RT EKU" ID="ID_SIGNER_RT_STANDARD"> <CertRoot Type="Wellknown" Value="07" /> <CertEKU ID="ID_EKU_RT_EXT" /> </Signer> <Signer Name="Microsoft Standard Root 2011 Enclave EKU" ID="ID_SIGNER_ENCLAVE"> <CertRoot Type="Wellknown" Value="07" /> <CertEKU ID="ID_EKU_ENCLAVE" /> </Signer> <Signer Name="Microsoft Code Signing PCA 2011" ID="ID_SIGNER_MICROSOFT_REFRESH_POLICY"> <CertRoot Type="TBS" Value="F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E" /> <CertPublisher Value="Microsoft Corporation" /> <FileAttribRef RuleID="ID_FILEATTRIB_REFRESH_POLICY" /> </Signer> <Signer Name="MincryptKnownRootMicrosoftTestRoot2010" ID="ID_SIGNER_TEST2010_USER"> <CertRoot Type="Wellknown" Value="0A" /> </Signer> <Signer Name="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" ID="ID_SIGNER_S_1"> <CertRoot Type="TBS" Value="65B1D4076A89AE273F57E6EEEDECB3EAE129B4168F76FA7671914CDF461D542255C59D9B85B916AE0CA6FC0FCF7A8E64" /> <CertPublisher Value="Australian Signals Directorate" /> </Signer> <Signer Name="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" ID="ID_SIGNER_S_2"> <CertRoot Type="TBS" Value="65B1D4076A89AE273F57E6EEEDECB3EAE129B4168F76FA7671914CDF461D542255C59D9B85B916AE0CA6FC0FCF7A8E64" /> <CertPublisher Value="Airlock Digital Pty Ltd" /> <FileAttribRef RuleID="ID_FILEATTRIB_A_1" /> </Signer> </Signers> <SigningScenarios> <SigningScenario ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 09-13-2024" Value="131"> <ProductSigners> <AllowedSigners> <AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION" /> <AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION" /> <AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION" /> <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2" /> <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1" /> <AllowedSigner SignerId="ID_SIGNER_WHQL_MD5" /> <AllowedSigner SignerId="ID_SIGNER_WINDOWS_FLIGHT_ROOT" /> <AllowedSigner SignerId="ID_SIGNER_ELAM_FLIGHT" /> <AllowedSigner SignerId="ID_SIGNER_HAL_FLIGHT" /> <AllowedSigner SignerId="ID_SIGNER_WHQL_FLIGHT_SHA2" /> <AllowedSigner SignerId="ID_SIGNER_TEST2010" /> </AllowedSigners> <FileRulesRef> <FileRuleRef RuleID="ID_ALLOW_ALL" /> </FileRulesRef> </ProductSigners> </SigningScenario> <SigningScenario ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 09-13-2024" Value="12"> <ProductSigners> <AllowedSigners> <AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION_USER" /> <AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION_USER" /> <AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION_USER" /> <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2_USER" /> <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1_USER" /> <AllowedSigner SignerId="ID_SIGNER_WHQL_MD5_USER" /> <AllowedSigner SignerId="ID_SIGNER_WINDOWS_FLIGHT_ROOT_USER" /> <AllowedSigner SignerId="ID_SIGNER_ELAM_FLIGHT_USER" /> <AllowedSigner SignerId="ID_SIGNER_HAL_FLIGHT_USER" /> <AllowedSigner SignerId="ID_SIGNER_WHQL_FLIGHT_SHA2_USER" /> <AllowedSigner SignerId="ID_SIGNER_STORE" /> <AllowedSigner SignerId="ID_SIGNER_STORE_FLIGHT_ROOT" /> <AllowedSigner SignerId="ID_SIGNER_RT_PRODUCTION" /> <AllowedSigner SignerId="ID_SIGNER_DRM" /> <AllowedSigner SignerId="ID_SIGNER_DCODEGEN" /> <AllowedSigner SignerId="ID_SIGNER_AM" /> <AllowedSigner SignerId="ID_SIGNER_RT_FLIGHT" /> <AllowedSigner SignerId="ID_SIGNER_RT_STANDARD" /> <AllowedSigner SignerId="ID_SIGNER_ENCLAVE" /> <AllowedSigner SignerId="ID_SIGNER_MICROSOFT_REFRESH_POLICY" /> <AllowedSigner SignerId="ID_SIGNER_TEST2010_USER" /> <AllowedSigner SignerId="ID_SIGNER_S_1" /> <AllowedSigner SignerId="ID_SIGNER_S_2" /> </AllowedSigners> <FileRulesRef> <FileRuleRef RuleID="ID_ALLOW_ALL_PATHS" /> <FileRuleRef RuleID="ID_DENY_A_1" /> </FileRulesRef> </ProductSigners> </SigningScenario> </SigningScenarios> <UpdatePolicySigners /> <CiSigners> <CiSigner SignerId="ID_SIGNER_STORE" /> <CiSigner SignerId="ID_SIGNER_MICROSOFT_REFRESH_POLICY" /> <CiSigner SignerId="ID_SIGNER_S_1" /> <CiSigner SignerId="ID_SIGNER_S_2" /> </CiSigners> <HvciOptions>1</HvciOptions> <Settings> <Setting Provider="PolicyInfo" Key="Information" ValueName="Name"> <Value> <String>E8ML1AllowNonUserWriteable</String> </Value> </Setting> <Setting Provider="PolicyInfo" Key="Information" ValueName="Id"> <Value> <String>2024-09-16</String> </Value> </Setting> <Setting Provider="AllHostIds" Key="AllKeys" ValueName="EnterpriseDefinedClsId"> <Value> <Boolean>true</Boolean> </Value> </Setting> </Settings> </SiPolicy>

Devicie Template Name	ACSC E8 Nov 2023-ML1 App control-Audit
Default Intune Deployed Name	Devicie - ACSC E8 Nov 2023-ML1 App control-Audit
Version	1.0
Template Last Updated	Nov 8, 2024
Document Last Updated:	Jul 24, 2025