ACSC E8 Nov 2023-ML1 App control-Block
Overview
The Devicie Essential Eight Maturity Level 1 Application Control (Block) (Nov 2023) configuration is to meet the Australian Cyber Security Centre’s guidance for this mitigation strategy.
Intune Description:
E8 ML1 App Control (Block) (Nov 2023)
Scope:
This baseline should be applied to Windows devices.
Policy Impact Areas:
When deployed, this policy will impact:
Deployment Notes
-
Pre-Deployment Considerations:
-
Review existing any other application control products or configurations in use
-
Consider deploying DEVICIE-PROD-ACSC E8 Nov 2023-ML1 App control-Audit first
-
Do not assign Block and Audit policies to the same group
-
Post-Deployment Validation:
|
Name
|
Value
|
|
Configuration settings format
|
Enter xml data
|
|
App Control for Business policy
|
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" PolicyType="Base Policy" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.5</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{4BC542CF-B192-4796-AEC8-C1275E5030E1}</PolicyID>
<BasePolicyID>{4BC542CF-B192-4796-AEC8-C1275E5030E1}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
<Option>Enabled:Inherit Default Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Update Policy No Reboot</Option>
</Rule>
<Rule>
<Option>Enabled:Dynamic Code Security</Option>
</Rule>
<Rule>
<Option>Enabled:Revoked Expired As Unsigned</Option>
</Rule>
<Rule>
<Option>Enabled:Allow Supplemental Policies</Option>
</Rule>
<Rule>
<Option>Enabled:Managed Installer</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:Boot Audit On Failure</Option>
</Rule>
</Rules>
<EKUs>
<EKU ID="ID_EKU_WINDOWS" Value="010A2B0601040182370A0306" FriendlyName="Windows EKU - 1.3.6.1.4.1.311.10.3.6" />
<EKU ID="ID_EKU_ELAM" Value="010A2B0601040182373D0401" FriendlyName="Early Launch AntiMalware EKU - 1.3.6.1.4.1.311.61.4.1" />
<EKU ID="ID_EKU_HAL_EXT" Value="010A2B0601040182373D0501" FriendlyName="Hardware Abstraction Layer EKU - 1.3.6.1.4.1.311.61.5.1" />
<EKU ID="ID_EKU_WHQL" Value="010A2B0601040182370A0305" FriendlyName="WHQL EKU - 1.3.6.1.4.1.311.10.3.5" />
<EKU ID="ID_EKU_STORE" Value="010A2B0601040182374C0301" FriendlyName="Windows Store EKU - 1.3.6.1.4.1.311.76.3.1" />
<EKU ID="ID_EKU_RT_EXT" Value="010A2B0601040182370A0315" FriendlyName="Windows RT EKU - 1.3.6.1.4.1.311.10.3.21" />
<EKU ID="ID_EKU_DCODEGEN" Value="010A2B0601040182374C0501" FriendlyName="Dynamic Code Generation EKU - 1.3.6.1.4.1.311.76.5.1" />
<EKU ID="ID_EKU_AM" Value="010A2B0601040182374C0B01" FriendlyName="AntiMalware EKU - 1.3.6.1.4.1.311.76.11.1" />
<EKU ID="ID_EKU_ENCLAVE" Value="010A2B0601040182370A032A" FriendlyName="Enclave EKU - 1.3.6.1.4.1.311.10.3.42" />
</EKUs>
<FileRules>
<Allow ID="ID_ALLOW_ALL" FriendlyName="Allow all files" FileName="*" />
<FileAttrib ID="ID_FILEATTRIB_REFRESH_POLICY" FriendlyName="RefreshPolicy.exe FileAttribute" FileName="RefreshPolicy.exe" MinimumFileVersion="10.0.19042.0" />
<FileAttrib ID="ID_FILEATTRIB_A_1" FriendlyName="Allow files based on file attributes: Allowlisting Auditor" ProductName="Allowlisting Auditor" />
<Allow ID="ID_ALLOW_ALL_PATHS" FriendlyName="Allow all paths" FilePath="*" />
<Deny ID="ID_DENY_A_1" FriendlyName="hh.exe" FileName="HH.exe" />
</FileRules>
<Signers>
<Signer Name="Microsoft Product Root 2010 Windows EKU" ID="ID_SIGNER_WINDOWS_PRODUCTION">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>
<Signer Name="Microsoft Product Root 2010 ELAM EKU" ID="ID_SIGNER_ELAM_PRODUCTION">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_ELAM" />
</Signer>
<Signer Name="Microsoft Product Root 2010 HAL EKU" ID="ID_SIGNER_HAL_PRODUCTION">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_HAL_EXT" />
</Signer>
<Signer Name="Microsoft Product Root 2010 WHQL EKU" ID="ID_SIGNER_WHQL_SHA2">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Microsoft Product Root WHQL EKU SHA1" ID="ID_SIGNER_WHQL_SHA1">
<CertRoot Type="Wellknown" Value="05" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Microsoft Product Root WHQL EKU MD5" ID="ID_SIGNER_WHQL_MD5">
<CertRoot Type="Wellknown" Value="04" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Microsoft Flighting Root 2014 Windows EKU" ID="ID_SIGNER_WINDOWS_FLIGHT_ROOT">
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>
<Signer Name="Microsoft Flighting Root 2014 ELAM EKU" ID="ID_SIGNER_ELAM_FLIGHT">
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_ELAM" />
</Signer>
<Signer Name="Microsoft Flighting Root 2014 HAL EKU" ID="ID_SIGNER_HAL_FLIGHT">
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_HAL_EXT" />
</Signer>
<Signer Name="Microsoft Flighting Root 2014 WHQL EKU" ID="ID_SIGNER_WHQL_FLIGHT_SHA2">
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="MincryptKnownRootMicrosoftTestRoot2010" ID="ID_SIGNER_TEST2010">
<CertRoot Type="Wellknown" Value="0A" />
</Signer>
<Signer Name="Microsoft Product Root 2010 Windows EKU" ID="ID_SIGNER_WINDOWS_PRODUCTION_USER">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>
<Signer Name="Microsoft Product Root 2010 ELAM EKU" ID="ID_SIGNER_ELAM_PRODUCTION_USER">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_ELAM" />
</Signer>
<Signer Name="Microsoft Product Root 2010 HAL EKU" ID="ID_SIGNER_HAL_PRODUCTION_USER">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_HAL_EXT" />
</Signer>
<Signer Name="Microsoft Product Root 2010 WHQL EKU" ID="ID_SIGNER_WHQL_SHA2_USER">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Microsoft Product Root WHQL EKU SHA1" ID="ID_SIGNER_WHQL_SHA1_USER">
<CertRoot Type="Wellknown" Value="05" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Microsoft Product Root WHQL EKU MD5" ID="ID_SIGNER_WHQL_MD5_USER">
<CertRoot Type="Wellknown" Value="04" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Microsoft Flighting Root 2014 Windows EKU" ID="ID_SIGNER_WINDOWS_FLIGHT_ROOT_USER">
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>
<Signer Name="Microsoft Flighting Root 2014 ELAM EKU" ID="ID_SIGNER_ELAM_FLIGHT_USER">
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_ELAM" />
</Signer>
<Signer Name="Microsoft Flighting Root 2014 HAL EKU" ID="ID_SIGNER_HAL_FLIGHT_USER">
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_HAL_EXT" />
</Signer>
<Signer Name="Microsoft Flighting Root 2014 WHQL EKU" ID="ID_SIGNER_WHQL_FLIGHT_SHA2_USER">
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_WHQL" />
</Signer>
<Signer Name="Microsoft MarketPlace PCA 2011" ID="ID_SIGNER_STORE">
<CertRoot Type="TBS" Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378" />
<CertEKU ID="ID_EKU_STORE" />
</Signer>
<Signer Name="Microsoft Flighting Root 2014 Store EKU" ID="ID_SIGNER_STORE_FLIGHT_ROOT">
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_STORE" />
</Signer>
<Signer Name="Microsoft Product Root 2010 RT EKU" ID="ID_SIGNER_RT_PRODUCTION">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_RT_EXT" />
</Signer>
<Signer Name="MincryptKnownRootMicrosoftDMDRoot2005" ID="ID_SIGNER_DRM">
<CertRoot Type="Wellknown" Value="0C" />
</Signer>
<Signer Name="MincryptKnownRootMicrosoftProductRoot2010" ID="ID_SIGNER_DCODEGEN">
<CertRoot Type="Wellknown" Value="06" />
<CertEKU ID="ID_EKU_DCODEGEN" />
</Signer>
<Signer Name="MincryptKnownRootMicrosoftStandardRoot2011" ID="ID_SIGNER_AM">
<CertRoot Type="Wellknown" Value="07" />
<CertEKU ID="ID_EKU_AM" />
</Signer>
<Signer Name="Microsoft Flighting Root 2014 RT EKU" ID="ID_SIGNER_RT_FLIGHT">
<CertRoot Type="Wellknown" Value="0E" />
<CertEKU ID="ID_EKU_RT_EXT" />
</Signer>
<Signer Name="Microsoft Standard Root 2011 RT EKU" ID="ID_SIGNER_RT_STANDARD">
<CertRoot Type="Wellknown" Value="07" />
<CertEKU ID="ID_EKU_RT_EXT" />
</Signer>
<Signer Name="Microsoft Standard Root 2011 Enclave EKU" ID="ID_SIGNER_ENCLAVE">
<CertRoot Type="Wellknown" Value="07" />
<CertEKU ID="ID_EKU_ENCLAVE" />
</Signer>
<Signer Name="Microsoft Code Signing PCA 2011" ID="ID_SIGNER_MICROSOFT_REFRESH_POLICY">
<CertRoot Type="TBS" Value="F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E" />
<CertPublisher Value="Microsoft Corporation" />
<FileAttribRef RuleID="ID_FILEATTRIB_REFRESH_POLICY" />
</Signer>
<Signer Name="MincryptKnownRootMicrosoftTestRoot2010" ID="ID_SIGNER_TEST2010_USER">
<CertRoot Type="Wellknown" Value="0A" />
</Signer>
<Signer Name="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" ID="ID_SIGNER_S_1">
<CertRoot Type="TBS" Value="65B1D4076A89AE273F57E6EEEDECB3EAE129B4168F76FA7671914CDF461D542255C59D9B85B916AE0CA6FC0FCF7A8E64" />
<CertPublisher Value="Australian Signals Directorate" />
</Signer>
<Signer Name="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" ID="ID_SIGNER_S_2">
<CertRoot Type="TBS" Value="65B1D4076A89AE273F57E6EEEDECB3EAE129B4168F76FA7671914CDF461D542255C59D9B85B916AE0CA6FC0FCF7A8E64" />
<CertPublisher Value="Airlock Digital Pty Ltd" />
<FileAttribRef RuleID="ID_FILEATTRIB_A_1" />
</Signer>
</Signers>
<SigningScenarios>
<SigningScenario ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 09-13-2024" Value="131">
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_MD5" />
<AllowedSigner SignerId="ID_SIGNER_WINDOWS_FLIGHT_ROOT" />
<AllowedSigner SignerId="ID_SIGNER_ELAM_FLIGHT" />
<AllowedSigner SignerId="ID_SIGNER_HAL_FLIGHT" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_FLIGHT_SHA2" />
<AllowedSigner SignerId="ID_SIGNER_TEST2010" />
</AllowedSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_ALL" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
<SigningScenario ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 09-13-2024" Value="12">
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION_USER" />
<AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION_USER" />
<AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION_USER" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2_USER" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1_USER" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_MD5_USER" />
<AllowedSigner SignerId="ID_SIGNER_WINDOWS_FLIGHT_ROOT_USER" />
<AllowedSigner SignerId="ID_SIGNER_ELAM_FLIGHT_USER" />
<AllowedSigner SignerId="ID_SIGNER_HAL_FLIGHT_USER" />
<AllowedSigner SignerId="ID_SIGNER_WHQL_FLIGHT_SHA2_USER" />
<AllowedSigner SignerId="ID_SIGNER_STORE" />
<AllowedSigner SignerId="ID_SIGNER_STORE_FLIGHT_ROOT" />
<AllowedSigner SignerId="ID_SIGNER_RT_PRODUCTION" />
<AllowedSigner SignerId="ID_SIGNER_DRM" />
<AllowedSigner SignerId="ID_SIGNER_DCODEGEN" />
<AllowedSigner SignerId="ID_SIGNER_AM" />
<AllowedSigner SignerId="ID_SIGNER_RT_FLIGHT" />
<AllowedSigner SignerId="ID_SIGNER_RT_STANDARD" />
<AllowedSigner SignerId="ID_SIGNER_ENCLAVE" />
<AllowedSigner SignerId="ID_SIGNER_MICROSOFT_REFRESH_POLICY" />
<AllowedSigner SignerId="ID_SIGNER_TEST2010_USER" />
<AllowedSigner SignerId="ID_SIGNER_S_1" />
<AllowedSigner SignerId="ID_SIGNER_S_2" />
</AllowedSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_ALL_PATHS" />
<FileRuleRef RuleID="ID_DENY_A_1" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners>
<CiSigner SignerId="ID_SIGNER_STORE" />
<CiSigner SignerId="ID_SIGNER_MICROSOFT_REFRESH_POLICY" />
<CiSigner SignerId="ID_SIGNER_S_1" />
<CiSigner SignerId="ID_SIGNER_S_2" />
</CiSigners>
<HvciOptions>1</HvciOptions>
<Settings>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Name">
<Value>
<String>E8ML1AllowNonUserWriteable</String>
</Value>
</Setting>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Id">
<Value>
<String>2024-09-16</String>
</Value>
</Setting>
<Setting Provider="AllHostIds" Key="AllKeys" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
</Settings>
</SiPolicy>
|
|
Devicie Template Name
|
ACSC E8 Nov 2023-ML1 App control-Block
|
|
Default Intune Deployed Name
|
DEVICIE-PROD-ACSC E8 Nov 2023-ML1 App control-Block
|
|
Version
|
1.0
|
|
Template Last Updated
|
Nov 18, 2024
|
|
Document Last Updated:
|
Jun 12, 2025
|
