ACSC E8 Nov 2023-ML1 App control-Audit
Overview
The Devicie Essential Eight Maturity Level 1 Application Control (Audit) (Nov 2023) configuration is to meet the Australian Cyber Security Centre’s guidance for this mitigation strategy.
Intune Description:
E8 ML1 App Control (Audit) (Nov 2023)
Scope:
This baseline should be applied to Windows devices.
Policy Impact Areas:
When deployed, this policy will impact:
Deployment Notes
-
Pre-Deployment Considerations:
-
Review existing any other application control products or configurations in use
-
Prepare for log review, to move towards implementing Block controls
-
Do not assign Block and Audit policies to the same group
-
Post-Deployment Validation:
|
Name
|
Value
|
|
Configuration settings format
|
Enter xml data
|
|
App Control for Business policy
|
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
PolicyType="Base Policy"
xmlns="urn:schemas-microsoft-com:sipolicy"
>
<VersionEx>10.0.0.5</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{4BC542CF-B192-4796-AEC8-C1275E5030E1}</PolicyID>
<BasePolicyID>{4BC542CF-B192-4796-AEC8-C1275E5030E1}</BasePolicyID>
<Rules>
<Rule>
<option>Enabled:Unsigned System Integrity Policy</option>
</Rule>
<Rule>
<option>Enabled:Advanced Boot Options Menu</option>
</Rule>
<Rule>
<option>Enabled:UMCI</option>
</Rule>
<Rule>
<option>Enabled:Inherit Default Policy</option>
</Rule>
<Rule>
<option>Enabled:Update Policy No Reboot</option>
</Rule>
<Rule>
<option>Enabled:Dynamic Code Security</option>
</Rule>
<Rule>
<option>Enabled:Revoked Expired As Unsigned</option>
</Rule>
<Rule>
<option>Enabled:Allow Supplemental Policies</option>
</Rule>
<Rule>
<option>Enabled:Managed Installer</option>
</Rule>
<Rule>
<option>Required:Enforce Store Applications</option>
</Rule>
<Rule>
<option>Enabled:Boot Audit On Failure</option>
</Rule>
<Rule>
<option>Enabled:Audit Mode</option>
</Rule>
</Rules>
<EKUs>
<EKU
ID="ID_EKU_WINDOWS"
Value="010A2B0601040182370A0306"
FriendlyName="Windows EKU - 1.3.6.1.4.1.311.10.3.6"
/>
<EKU
ID="ID_EKU_ELAM"
Value="010A2B0601040182373D0401"
FriendlyName="Early Launch AntiMalware EKU - 1.3.6.1.4.1.311.61.4.1"
/>
<EKU
ID="ID_EKU_HAL_EXT"
Value="010A2B0601040182373D0501"
FriendlyName="Hardware Abstraction Layer EKU - 1.3.6.1.4.1.311.61.5.1"
/>
<EKU
ID="ID_EKU_WHQL"
Value="010A2B0601040182370A0305"
FriendlyName="WHQL EKU - 1.3.6.1.4.1.311.10.3.5"
/>
<EKU
ID="ID_EKU_STORE"
Value="010A2B0601040182374C0301"
FriendlyName="Windows Store EKU - 1.3.6.1.4.1.311.76.3.1"
/>
<EKU
ID="ID_EKU_RT_EXT"
Value="010A2B0601040182370A0315"
FriendlyName="Windows RT EKU - 1.3.6.1.4.1.311.10.3.21"
/>
<EKU
ID="ID_EKU_DCODEGEN"
Value="010A2B0601040182374C0501"
FriendlyName="Dynamic Code Generation EKU - 1.3.6.1.4.1.311.76.5.1"
/>
<EKU
ID="ID_EKU_AM"
Value="010A2B0601040182374C0B01"
FriendlyName="AntiMalware EKU - 1.3.6.1.4.1.311.76.11.1"
/>
<EKU
ID="ID_EKU_ENCLAVE"
Value="010A2B0601040182370A032A"
FriendlyName="Enclave EKU - 1.3.6.1.4.1.311.10.3.42"
/>
</EKUs>
<FileRules>
<Allow ID="ID_ALLOW_ALL" FriendlyName="Allow all files" FileName="*" />
<FileAttrib
ID="ID_FILEATTRIB_REFRESH_POLICY"
FriendlyName="RefreshPolicy.exe FileAttribute"
FileName="RefreshPolicy.exe"
MinimumFileVersion="10.0.19042.0"
/>
<FileAttrib
ID="ID_FILEATTRIB_A_1"
FriendlyName="Allow files based on file attributes: Allowlisting Auditor"
ProductName="Allowlisting Auditor"
/>
<Allow
ID="ID_ALLOW_ALL_PATHS"
FriendlyName="Allow all paths"
FilePath="*"
/>
<Deny ID="ID_DENY_A_1" FriendlyName="hh.exe" FileName="HH.exe" />
</FileRules>
<Signers>
<Signer
Name="Microsoft Product Root 2010 Windows EKU"
ID="ID_SIGNER_WINDOWS_PRODUCTION"
>
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>
<Signer
Name="Microsoft Product Root 2010 ELAM EKU"
ID="ID_SIGNER_ELAM_PRODUCTION"
>
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_ELAM" />
</Signer>
<Signer
Name="Microsoft Product Root 2010 HAL EKU"
ID="ID_SIGNER_HAL_PRODUCTION"
>
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_HAL_EXT" />
</Signer>
<Signer
Name="Microsoft Product Root 2010 WHQL EKU"
ID="ID_SIGNER_WHQL_SHA2"
>
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer
Name="Microsoft Product Root WHQL EKU SHA1"
ID="ID_SIGNER_WHQL_SHA1"
>
<CertRoot Type="Wellknown" Value="05" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer
Name="Microsoft Product Root WHQL EKU MD5"
ID="ID_SIGNER_WHQL_MD5"
>
<CertRoot Type="Wellknown" Value="04" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer
Name="Microsoft Flighting Root 2014 Windows EKU"
ID="ID_SIGNER_WINDOWS_FLIGHT_ROOT"
>
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>
<Signer
Name="Microsoft Flighting Root 2014 ELAM EKU"
ID="ID_SIGNER_ELAM_FLIGHT"
>
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_ELAM" />
</Signer>
<Signer
Name="Microsoft Flighting Root 2014 HAL EKU"
ID="ID_SIGNER_HAL_FLIGHT"
>
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_HAL_EXT" />
</Signer>
<Signer
Name="Microsoft Flighting Root 2014 WHQL EKU"
ID="ID_SIGNER_WHQL_FLIGHT_SHA2"
>
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer
Name="MincryptKnownRootMicrosoftTestRoot2010"
ID="ID_SIGNER_TEST2010"
>
<CertRoot Type="Wellknown" Value="0A" />
</Signer>
<Signer
Name="Microsoft Product Root 2010 Windows EKU"
ID="ID_SIGNER_WINDOWS_PRODUCTION_USER"
>
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>
<Signer
Name="Microsoft Product Root 2010 ELAM EKU"
ID="ID_SIGNER_ELAM_PRODUCTION_USER"
>
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_ELAM" />
</Signer>
<Signer
Name="Microsoft Product Root 2010 HAL EKU"
ID="ID_SIGNER_HAL_PRODUCTION_USER"
>
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_HAL_EXT" />
</Signer>
<Signer
Name="Microsoft Product Root 2010 WHQL EKU"
ID="ID_SIGNER_WHQL_SHA2_USER"
>
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer
Name="Microsoft Product Root WHQL EKU SHA1"
ID="ID_SIGNER_WHQL_SHA1_USER"
>
<CertRoot Type="Wellknown" Value="05" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer
Name="Microsoft Product Root WHQL EKU MD5"
ID="ID_SIGNER_WHQL_MD5_USER"
>
<CertRoot Type="Wellknown" Value="04" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer
Name="Microsoft Flighting Root 2014 Windows EKU"
ID="ID_SIGNER_WINDOWS_FLIGHT_ROOT_USER"
>
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>
<Signer
Name="Microsoft Flighting Root 2014 ELAM EKU"
ID="ID_SIGNER_ELAM_FLIGHT_USER"
>
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_ELAM" />
</Signer>
<Signer
Name="Microsoft Flighting Root 2014 HAL EKU"
ID="ID_SIGNER_HAL_FLIGHT_USER"
>
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_HAL_EXT" />
</Signer>
<Signer
Name="Microsoft Flighting Root 2014 WHQL EKU"
ID="ID_SIGNER_WHQL_FLIGHT_SHA2_USER"
>
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Microsoft MarketPlace PCA 2011" ID="ID_SIGNER_STORE">
<CertRoot
Type="TBS"
Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378"
/>
<CertEKU ID="ID_EKU_STORE" />
</Signer>
<Signer
Name="Microsoft Flighting Root 2014 Store EKU"
ID="ID_SIGNER_STORE_FLIGHT_ROOT"
>
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_STORE" />
</Signer>
<Signer
Name="Microsoft Product Root 2010 RT EKU"
ID="ID_SIGNER_RT_PRODUCTION"
>
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_RT_EXT" />
</Signer>
<Signer Name="MincryptKnownRootMicrosoftDMDRoot2005" ID="ID_SIGNER_DRM">
<CertRoot Type="Wellknown" Value="0C" />
</Signer>
<Signer
Name="MincryptKnownRootMicrosoftProductRoot2010"
ID="ID_SIGNER_DCODEGEN"
>
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_DCODEGEN" />
</Signer>
<Signer
Name="MincryptKnownRootMicrosoftStandardRoot2011"
ID="ID_SIGNER_AM"
>
<CertRoot Type="Wellknown" Value="07" />
<CertEKU ID="ID_EKU_AM" />
</Signer>
<Signer
Name="Microsoft Flighting Root 2014 RT EKU"
ID="ID_SIGNER_RT_FLIGHT"
>
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_RT_EXT" />
</Signer>
<Signer
Name="Microsoft Standard Root 2011 RT EKU"
ID="ID_SIGNER_RT_STANDARD"
>
<CertRoot Type="Wellknown" Value="07" />
<CertEKU ID="ID_EKU_RT_EXT" />
</Signer>
<Signer
Name="Microsoft Standard Root 2011 Enclave EKU"
ID="ID_SIGNER_ENCLAVE"
>
<CertRoot Type="Wellknown" Value="07" />
<CertEKU ID="ID_EKU_ENCLAVE" />
</Signer>
<Signer
Name="Microsoft Code Signing PCA 2011"
ID="ID_SIGNER_MICROSOFT_REFRESH_POLICY"
>
<CertRoot
Type="TBS"
Value="F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E"
/>
<CertPublisher Value="Microsoft Corporation" />
<FileAttribRef RuleID="ID_FILEATTRIB_REFRESH_POLICY" />
</Signer>
<Signer
Name="MincryptKnownRootMicrosoftTestRoot2010"
ID="ID_SIGNER_TEST2010_USER"
>
<CertRoot Type="Wellknown" Value="0A" />
</Signer>
<Signer
Name="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
ID="ID_SIGNER_S_1"
>
<CertRoot
Type="TBS"
Value="65B1D4076A89AE273F57E6EEEDECB3EAE129B4168F76FA7671914CDF461D542255C59D9B85B916AE0CA6FC0FCF7A8E64"
/>
<CertPublisher Value="Australian Signals Directorate" />
</Signer>
<Signer
Name="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
ID="ID_SIGNER_S_2"
>
<CertRoot
Type="TBS"
Value="65B1D4076A89AE273F57E6EEEDECB3EAE129B4168F76FA7671914CDF461D542255C59D9B85B916AE0CA6FC0FCF7A8E64"
/>
<CertPublisher Value="Airlock Digital Pty Ltd" />
<FileAttribRef RuleID="ID_FILEATTRIB_A_1" />
</Signer>
</Signers>
<SigningScenarios>
<SigningScenario
ID="ID_SIGNINGSCENARIO_DRIVERS_1"
FriendlyName="Auto generated policy on 09-13-2024"
Value="131"
>
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_MD5" />
<AllowedSigner SignerId="ID_SIGNER_WINDOWS_FLIGHT_ROOT" />
<AllowedSigner SignerId="ID_SIGNER_ELAM_FLIGHT" />
<AllowedSigner SignerId="ID_SIGNER_HAL_FLIGHT" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_FLIGHT_SHA2" />
<AllowedSigner SignerId="ID_SIGNER_TEST2010" />
</AllowedSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_ALL" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
<SigningScenario
ID="ID_SIGNINGSCENARIO_WINDOWS"
FriendlyName="Auto generated policy on 09-13-2024"
Value="12"
>
<ProductSigners>
<AllowedSigners>
<AllowedSigner
SignerId="ID_SIGNER_WINDOWS_PRODUCTION_USER"
/>
<AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION_USER" />
<AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION_USER" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2_USER" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1_USER" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_MD5_USER" />
<AllowedSigner
SignerId="ID_SIGNER_WINDOWS_FLIGHT_ROOT_USER"
/>
<AllowedSigner SignerId="ID_SIGNER_ELAM_FLIGHT_USER" />
<AllowedSigner SignerId="ID_SIGNER_HAL_FLIGHT_USER" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_FLIGHT_SHA2_USER" />
<AllowedSigner SignerId="ID_SIGNER_STORE" />
<AllowedSigner SignerId="ID_SIGNER_STORE_FLIGHT_ROOT" />
<AllowedSigner SignerId="ID_SIGNER_RT_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_DRM" />
<AllowedSigner SignerId="ID_SIGNER_DCODEGEN" />
<AllowedSigner SignerId="ID_SIGNER_AM" />
<AllowedSigner SignerId="ID_SIGNER_RT_FLIGHT" />
<AllowedSigner SignerId="ID_SIGNER_RT_STANDARD" />
<AllowedSigner SignerId="ID_SIGNER_ENCLAVE" />
<AllowedSigner
SignerId="ID_SIGNER_MICROSOFT_REFRESH_POLICY"
/>
<AllowedSigner SignerId="ID_SIGNER_TEST2010_USER" />
<AllowedSigner SignerId="ID_SIGNER_S_1" />
<AllowedSigner SignerId="ID_SIGNER_S_2" />
</AllowedSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_ALL_PATHS" />
<FileRuleRef RuleID="ID_DENY_A_1" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners>
<CiSigner SignerId="ID_SIGNER_STORE" />
<CiSigner SignerId="ID_SIGNER_MICROSOFT_REFRESH_POLICY" />
<CiSigner SignerId="ID_SIGNER_S_1" />
<CiSigner SignerId="ID_SIGNER_S_2" />
</CiSigners>
<HvciOptions>1</HvciOptions>
<Settings>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Name">
<Value>
<String>E8ML1AllowNonUserWriteable</String>
</Value>
</Setting>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Id">
<Value>
<String>2024-09-16</String>
</Value>
</Setting>
<Setting
Provider="AllHostIds"
Key="AllKeys"
ValueName="EnterpriseDefinedClsId"
>
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
</Settings>
</SiPolicy>
|
|
Devicie Template Name
|
ACSC E8 Nov 2023-ML1 App control-Audit
|
|
Default Intune Deployed Name
|
DEVICIE-PROD-ACSC E8 Nov 2023-ML1 App control-Audit
|
|
Version
|
1.0
|
|
Template Last Updated
|
Nov 18, 2024
|
|
Document Last Updated:
|
June 12, 2025
|
