Watching my miniature schnauzer, Raven, explore my backyard, I’m reminded of the importance of having a clear set of rules and guidelines. Just like Raven has her own schema to navigate her environment—knowing where she can wander, where she shouldn't venture, and how to interact. Application Control for Business (ACfB) provides a robust schema to help organizations manage and secure their digital landscapes.
Note: ACfB has also been known as Windows Defender Application Control (WDAC), Application Control for Windows and Code Integrity.
In Raven's serene world, her schema might look something like this:
Safe Zones: The grassy lawn where she can leisurely sniff around and her favorite shady spot under the tree.
Restricted Zones: The delicate garden beds and the tempting koi pond, which are off-limits to her curious paws.
Behavior Rules: Guidelines for greeting other animals and people, ensuring she remains the friendly neighborhood pup.
Similarly, ACfB's schema defines the rules and guidelines for managing applications and code within an organization:
Approved Applications: Software that is allowed to run, ensuring it is safe and trusted.
Restricted Applications: Programs that are blocked from execution to prevent potential security threats.
Execution Rules: Policies that dictate how applications can interact with the system, ensuring a secure and controlled environment.
For Raven, following her schema with precision is key. It keeps her out of trouble and ensures she enjoys her outdoor time without any mishaps. The order of her schema is equally important. She needs to know the safe zones before understanding the restricted ones, and she must learn the behavior rules to interact safely with others.
Similarly, for organizations, adhering to ACfB's schema is crucial. It ensures that only approved applications run, restricted applications are blocked, and execution rules are followed, maintaining a secure and efficient digital landscape.
Similarly, ACfB's schema defines precise rules for applications, ensuring that only trusted software runs on your systems, protecting against malicious code and unauthorized access. The order in which these rules and policies are defined is critical. Just as Raven's schema order helps her navigate her environment effectively, the correct order of elements in the ACfB schema ensures that the policy is correctly interpreted and enforced.
Application Control for Business - Schema Overview
The ACfB schema provides a comprehensive framework for defining rules and policies that control which applications are allowed to run on your systems. It ensures that only trusted applications are executed, enhancing security and compliance.
XML Structure Overview
The XML structure used in the schema provides a high-level view of how the elements and attributes are organized. This structure ensures that the policy is correctly interpreted and enforced by Application Control for Business.
Policy Information
This section includes metadata about the policy, such as its name, ID, version, and description. It provides essential information for identifying and managing different policies.
SiPolicy Elements (Policy controls)
Detailed descriptions of the elements that control the policy, such as rules for allowing or blocking applications. These elements define the core functionality of the policy.
Rules
Definitions of the various rules that can be applied within the policy, specifying what is allowed or denied. These rules are crucial for controlling application behavior.
FileRules
Specific rules related to files, including how they are identified and controlled. This section ensures that only trusted files are allowed to execute.
Signers
Information about the entities that sign the applications, ensuring they are trusted. This section is crucial for maintaining the integrity and trustworthiness of applications.
SigningScenarios
Different scenarios in which signing is used, providing context for when and how applications should be signed. This section helps ensure that signing practices are consistently applied.
CiSigners
Information about code integrity signers, who are responsible for ensuring the integrity of the code. This section is crucial for maintaining code integrity.
Settings
General settings for the policy, including various configuration options. These settings control the overall behavior of the policy.
EKUs
Extended Key Usages, which specify the purposes for which a certificate can be used. This section ensures that certificates are used appropriately.
UpdatePolicySigners
Information about the signers who are authorized to update the policy. This section ensures that only trusted entities can modify the policy.
HVCIOptions
Detailed descriptions of the hypervisor-protected code integrity options. These details define the characteristics and configurations of each option.
Macros
Definitions of macros used within the policy, allowing for reusable configurations. This section provides flexibility and efficiency in policy management.
SupplementalPolicySigners
Information about additional signers who can supplement the main policy. This section ensures that the policy can be extended and updated as needed.
SupplementalPolicySigners Elements and Attributes
Application Control for Business Schema
The ACfB schema, as defined in the provided file (CiPolicy.xsd), is a comprehensive XML schema that outlines the structure and rules for creating and managing security policies within the Application Control for Business framework. This schema includes various elements and attributes that specify how policies are constructed, validated, and enforced. Key components of the schema include definitions for file rules, signers, signing scenarios, and policy settings, each with specific attributes and nested elements that provide detailed control over the security configurations.
The primary purpose of the ACfB schema is to enhance the security posture of Windows environments by ensuring that only trusted and verified code is allowed to execute. By defining rules for allowing or denying specific files, managing trusted signers, and specifying conditions under which certain policies apply, the ACfB schema helps administrators create granular and flexible security policies. These policies protect against unauthorized code execution, maintain system integrity, and ensure compliance with organizational security standards.
Application Control Bypass
ACfB provides the ability to lock down endpoints effectively, but there are some potential bypasses that need to be addressed. Certain legitimate applications, such as powershell.exe, msbuild.exe, and wscript.exe, can be exploited by attackers to circumvent these controls. Blocking these applications is recommended unless they are absolutely necessary for business operations.
Additionally, keeping software up to date is crucial to mitigate vulnerabilities. For instance, older versions of BGInfo are vulnerable and should be blocked, while the latest version has resolved these security issues. The security community has been instrumental in identifying these vulnerabilities and helping to protect users. Following these recommendations is vital to ensure our systems remain secure.
For complete details, please refer to the full article on Microsoft's website:
An ACfB policy XML file consists of several key sections:
Policy Information: Metadata about the policy.
Rules: Definitions of what is allowed or denied.
File Rules: Specific rules for files and applications.
Signing Rules: Rules for signed applications and drivers.
Policy Information
The <SiPolicy> Root Element is used to define the overall security policy for the system. This element encompasses various configurations and settings that dictate how the security policy is enforced. It includes details such as policy type, policy rules, and other critical parameters that ensure the integrity and security of the system. By configuring <SiPolicy>, organizations can establish a comprehensive security framework that governs the behavior of applications and code execution on the system.
SiPolicy
|-----
Attributes
|
|-----
FriendlyName
|
|-----
PolicyType
|
|------------------------
"Base Policy"
|
|------------------------
"Supplemental Policy"
|
|------------------------
"AppID Tagging Policy"
|
|-----
Elements
|-----
VersionEx *1, *2
|-----
PolicyTypeID *2
|-----
PlatformID *1, *2
|-----
PolicyID * 2
|-----
BasePolicyID *2
|-----
Rules
|----- Rule
|-----
EKUs
|-----
FileRules
|-----
Signers
|-----
SigningScenarios
|-----
UpdatePolicySigners
|-----
CiSigners
|-----
HvciOptions
|-----
Settings
|-----
Macros
|-----
SupplementalPolicySigners
|-----
AppSettings
*1 - Required
*2 - These elements are used for defining and managing the ACfB policies on an endpoint.
SiPolicy Elements (Policy controls)
Element Names
Description
VersionEx
Specifies the extended version of the policy.
PolicyTypeID
Used to uniquely identify and manage different types of polices
PolicyID
The unique identifier for the policy.
BasePolicyID
The GUID of the base policy, if applicable.
PlatformID
The identifier for the platform the policy applies to.
There are a total of 17 sub-elements available under <SiPolicy> in a ACfB policy XML file.
Element Names
Description
Notes
<VersionEx>
Specifies the version of the System Integrity policy.
Required
<PolicyTypeID>
Unique identifier for the policy type.
<PlatformID>
Unique identifier for the platform.
Required
<PolicyID>
Unique identifier for the policy.
<BasePolicyID>
Unique identifier for the base policy.
<Rules>
The <Rules> sub-element is used to define various options and settings related to the rules enforced by the policy. These options can include configurations such as enabling or disabling specific rule types, setting enforcement levels, and other parameters that control how the rules are applied. By configuring <RulesOptions>, organizations can fine-tune the behavior of their security policies to meet specific requirements and ensure that the rules are enforced in a manner that aligns with their security objectives.
Contains a sequence of <Rule> elements defining various policy rules.
<EKUs>
The <EKUs> element defines Extended Key Usage (EKU) settings for the ACfB policy. EKUs specify the purposes for which a certificate can be used, such as code signing or server authentication. This element can include multiple EKU definitions, each specified within an <EKU> element. By defining EKUs, administrators can ensure that only certificates with the appropriate usage attributes are trusted, providing an additional layer of security for the system.
Collection of Extended Key Usage (EKU) elements.
FileRules
The <FileRules> element specifies how applications and drivers are identified and allowed or denied. This element can include rules based on file attributes, hashes, paths, publishers, and certificates. For example, you can allow a specific file by its hash or allow all files in a particular directory. The flexibility of <FileRules> allows administrators to create granular policies that precisely control which files are permitted to execute, enhancing the security posture of the system.
Collection of file rules.
Signers
The <Signers> element defines trusted signers for applications and drivers. This element can include various types of signers, such as FilePublisher, LeafCertificate, PcaCertificate, and RootCertificate. Each signer type specifies different levels of trust, from individual files to entire certificate chains. By defining trusted signers, administrators can ensure that only applications and drivers signed by recognized entities are allowed to run, reducing the risk of malware and unauthorized software.
Collection of signers.
SigningScenarios
The <SigningScenarios> element specifies different scenarios under which signing rules apply. This element can include scenarios for drivers, Windows components, and other specific use cases. Each scenario is defined within a <SigningScenario> element, which includes details such as the scenario value, ID, and friendly name. By defining signing scenarios, administrators can create policies that apply different rules based on the context in which an application or driver is executed, providing more nuanced control over software execution.
Collection of signing scenarios.
UpdatePolicySigners
The <UpdatePolicySigners> element defines signers that are trusted to update the ACfB policy. This element can include various types of signers, such as FilePublisher, LeafCertificate, PcaCertificate, and RootCertificate. By specifying trusted update policy signers, administrators can ensure that only authorized entities can modify the ACfB policy, preventing unauthorized changes that could compromise the security of the system.
Collection of signers for system integrity policy updating.
CiSigners
The <CiSigners> element defines Code Integrity signers that are trusted for all builds, including retail builds. This element is typically used to include enterprise signers or production signers that are trusted across the organization. By specifying trusted Code Integrity signers, administrators can ensure that only code signed by recognized entities is allowed to run, enhancing the overall security of the system.
Collection of signers trusted for CI signing levels.
HvciOptions
Hypervisor-Protected Code Integrity (HVCI) leverages virtualization-based security (VBS) to ensure that only trusted code runs in kernel mode
Specifies (HVCI) settings.
Settings
The <Settings> element includes additional settings for the ACfB policy. This element can define various configuration options, such as policy information, enterprise-defined settings, and other custom settings. Each setting is specified within a <Setting> element, which includes details such as the provider, key, value name, and value. By configuring these settings, administrators can customize the behavior of the ACfB policy to meet the specific needs of their organization.
Collection of setting elements.
Macros
The <Macros> element defines a collection of macro definitions that can be used throughout the policy. Macros allow for text substitution, making it easier to manage and update policy configurations. Each macro is defined within a <Macro> element, which includes an ID and a value. By using macros, administrators can simplify the policy management process and ensure consistency across different policy elements.
Collection of macro definitions.
SupplementalPolicySigners
The <SupplementalPolicySigners> element defines a collection of signers for supplemental policies. These signers are trusted to sign additional policies that extend or modify the base policy. By specifying supplemental policy signers, administrators can ensure that only authorized entities can create or update supplemental policies, maintaining the integrity and security of the overall policy framework.
Collection of signers for supplemental policies.
AppSettings
The <AppSettings> element defines a collection of application settings. These settings can include various configuration options specific to applications, such as manifest paths and custom settings. Each application setting is defined within an <App> element, which includes details such as the manifest path and individual settings. By configuring application settings, administrators can tailor the behavior of specific applications to meet organizational requirements.
The <Rules> sub-element is used to organize and manage various rules within the policy. It contains a sequence of <Rule> elements, each defined by the Rules complex type. These rules specify configurations such as enabling or disabling specific options, setting enforcement levels, and other parameters that control how the rules are applied. By configuring the <Rules> sub-element, organizations can fine-tune the behavior of their security policies to meet specific requirements and ensure that the rules are enforced in a manner that aligns with their security objectives.
Rules
|------
Rule
|------
RuleType
|------
Option
|------
Enabled:UMCI
|------
Enabled:Boot Menu Protection
|------
Enabled:Intelligent Security Graph Authorization
|------
Enabled:Invalidate EAs on Reboot
|------
Required:WHQL
|------
Enabled:Developer Mode Dynamic Code Trust
|------
Enabled:Allow Supplemental Policies
|------
Disabled:Runtime FilePath Rule Protection
|------
Enabled:Revoked Expired As Unsigned
|------
Enabled:Audit Mode
|------
Disabled:Flight Signing
|------
Enabled:Inherit Default Policy
|------
Enabled:Unsigned System Integrity Policy
|------
Enabled:Dynamic Code Security
|------
Required:EV Signers
|------
Enabled:Boot Audit On Failure
|------
Enabled:Advanced Boot Options Menu
|------
Disabled:Script Enforcement
|------
Required:Enforce Store Applications
|------
Enabled:Secure Setting Policy
|------
Enabled:Managed Installer
|------
Enabled:Update Policy No Reboot
|------
Enabled:Conditional Windows Lockdown Policy
Rules Options
Option Types
Description
Enabled:UMCI
Enables User Mode Code Integrity (UMCI), ensuring that only trusted code runs in user mode.
Enabled:Boot Menu Protection
Enables protection for the boot menu, preventing unauthorized changes to boot configurations.
Enabled:Intelligent Security Graph Authorization
Utilizes the Intelligent Security Graph to authorize applications, enhancing security by leveraging Microsoft's threat intelligence.
Enabled:Invalidate EAs on Reboot
Invalidates Extended Attributes (EAs) on reboot, ensuring that any changes to EAs are not persistent across reboots.
Required:WHQL
Requires that drivers are Windows Hardware Quality Labs (WHQL) certified, ensuring they meet Microsoft's quality standards.
Enabled:Developer Mode Dynamic Code Trust
Enables dynamic code trust for developer mode, allowing developers to run and test code that may not be signed.
Enabled:Allow Supplemental Policies
Allows the use of supplemental policies, which can extend or modify the base policy.
Disabled:Runtime FilePath Rule Protection
Disables runtime protection for file path rules, potentially reducing security but allowing more flexibility.
Enabled:Revoked Expired As Unsigned
Treats revoked or expired certificates as unsigned, preventing code signed with such certificates from running.
Enabled:Audit Mode
Enables audit mode, which logs policy violations without enforcing them, useful for testing and monitoring.
Disabled:Flight Signing
Disables flight signing, which is used for pre-release software testing.
Enabled:Inherit Default Policy
Allows the policy to inherit settings from the default policy, ensuring consistency and reducing configuration effort.
Enabled:Unsigned System Integrity Policy
Enables the use of unsigned system integrity policies, which can be useful in certain testing or development scenarios.
Enabled:Dynamic Code Security
Enhances security by enabling dynamic code security measures, which help protect against runtime code modifications.
Required:EV Signers
Requires Extended Validation (EV) certificates for code signing, providing a higher level of trust.
Enabled:Boot Audit On Failure
Enables auditing of boot failures, helping to diagnose and troubleshoot boot issues.
Enabled:Advanced Boot Options Menu
Enables the advanced boot options menu, providing additional boot options for troubleshooting and recovery.
Disabled:Script Enforcement
Disables enforcement of script policies, allowing scripts to run without being subject to policy restrictions.
Required:Enforce Store Applications
Requires that only applications from the Microsoft Store are allowed to run, enhancing security by restricting software sources.
Enabled:Secure Setting Policy
Enables secure setting policies, which enforce additional security settings.
Enabled:Managed Installer
Allows the use of a managed installer, which can install and manage applications according to policy.
Enabled:Update Policy No Reboot
Enables policy updates without requiring a reboot, reducing downtime and improving user experience.
Enabled:Conditional Windows Lockdown Policy
Enables conditional lockdown policies, which can enforce stricter security measures based on certain conditions.
<!-- Other policy elements here -->
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
The <FileRules> sub-element is used to define various options and settings related to file rules enforced by the policy. These options can include configurations such as specifying file types to be monitored, setting enforcement levels for different file operations, and other parameters that control how file rules are applied. By configuring <FileRules>, organizations can customize the behavior of their file security policies to meet specific requirements and ensure that file operations are monitored and controlled in a manner that aligns with their security objectives.
FileRules
|------
Allow
|
|--------
ID *1
|
|--------
FriendlyName
|
|--------
FileName
|
|--------
InternalName
|
|--------
FileDescription
|
|--------
ProductName
|
|--------
PackageFamilyName
|
|--------
PackageVersion
|
|--------
MinimumFileVersion
|
|--------
MaximumFileVersion
|
|--------
Hash
|
|--------
AppIDs
|
|--------
FilePath
|
|------
Deny
|
|--------
ID *1
|
|--------
FriendlyName
|
|--------
FileName
|
|--------
InternalName
|
|--------
FileDescription
|
|--------
ProductName
|
|--------
PackageFamilyName
|
|--------
PackageVersion
|
|--------
MinimumFileVersion
|
|--------
MaximumFileVersion
|
|--------
Hash
|
|--------
AppIDs
|
|--------
FilePath
|
|------
FileAttrib
|
|--------
ID *1
|
|--------
FriendlyName
|
|--------
FileName
|
|--------
InternalName
|
|--------
FileDescription
|
|--------
ProductName
|
|--------
PackageFamilyName
|
|--------
PackageVersion
|
|--------
MinimumFileVersion
|
|--------
MaximumFileVersion
|
|--------
Hash
|
|--------
AppIDs
|
|--------
FilePath
|
|------
FileRule
|--------
ID *1
|--------
FriendlyName
|--------
FileName
|--------
InternalName
|--------
FileDescription
|--------
ProductName
|--------
PackageFamilyName
|--------
PackageVersion
|--------
MinimumFileVersion
|--------
MaximumFileVersion
|--------
Hash
|--------
AppIDs
|--------
FilePath
|--------
Type *1
|-------------------
"Match"
|-------------------
"Exclude"
|-------------------
"Attribute"
*1 = Required
FileRules Elements and Attributes
There are 4 elements and 13 attributes available for FileRules. The elements specify how applications and drivers are identified and allowed or denied based on various attributes within the ACfB policy. The attributes allow administrators to specify criteria based on various properties of files, such as their cryptographic hash, file name, file path, publisher's certificate, and more. This ensures that only trusted and verified files are permitted to execute
Element Names
Attribute Names
Description
Allow
Deny
FileAttrib
FileRule
AppIDs
Application IDs associated with the file, used for additional identification and management.
FileDescription
A description of the file, providing more context about its purpose and usage.
FileName
Specifies the name of the file to allow. Ensures that only files with this exact name are permitted to run.
FilePath
Specifies the path of the file to allow. Ensures that only files located in this specific path are permitted to run.
FriendlyName
A user-friendly name for the rule, making it easier to identify and manage.
Hash
Specifies the cryptographic hash of the file to allow. Provides a high level of security by ensuring that only the exact file with this hash is permitted to run.
ID
Unique identifier for the rule.
(Required)
InternalName
The internal name of the file, often used for additional verification.
MaximumFileVersion
Specifies the maximum version of the file to allow. Prevents the execution of potentially outdated or insecure versions.
MinimumFileVersion
Specifies the minimum version of the file to allow. Ensures that only updated and secure versions are permitted.
PackageFamilyName
The package family name for the file, used to group related files together.
PackageVersion
The version of the package that the file belongs to, ensuring compatibility and version control.
ProductName
The name of the product associated with the file, helping to identify the software it belongs to.
FileRule (only)
Type
Specifies the type of rule being applied, such as Match, Exclude, or Attribute. This attribute defines the condition under which the rule applies, allowing for precise control over how files are identified and managed.
(Required)
<!-- Other policy elements here -->
<FileRules>
<FileAttrib ID="ID_FILEATTRIB_A_1" FriendlyName="Allow files based on file attributes: 16.0.18429.20114 and WinWord.exe" FileName="*" MinimumFileVersion="16.0.18429.20114"/>
<Allow ID="ID_ALLOW_PATH_0_1_0" FriendlyName="Allow by path: %OSDRIVE%\Program Files\PuTTY\putty.exe" FilePath="%OSDRIVE%\Program Files\PuTTY\putty.exe"/>
<Deny ID="ID_DENY_PATH_0_1_0" FriendlyName="Deny by path: %OSDRIVE%\Program Files\Notepad++\notepad++.exe" FilePath="%OSDRIVE%\Program Files\Notepad++\notepad++.exe"/>
<Allow ID="ID_ALLOW_A_1_1_0" FriendlyName="Allow files based on file attributes: Google Chrome" FileDescription="Google Chrome"/>
</FileRules>
<!-- Other policy elements here -->
Signers
The <Signers> sub-element is a collection of <Signer> elements that are trusted to sign applications and drivers. It includes various sub-elements that define the details of each signer. These options can include configurations such as specifying the criteria for trusted signers, setting validation levels for signer certificates, and other parameters that control how signers are managed and verified. By configuring <Signers>, organizations can ensure that only authorized and trusted signers are allowed, enhancing the security and integrity of the system by preventing unauthorized code from being executed.
Sub-element:<Signer> of <Signers>
The <Signer> sub-element defines an individual signer and includes several attributes and nested elements that specify the details of the signer's certificate and other relevant information.
Signers
|------
Signer
|------
Attributes
|
|------
Name
|
|------
ID
|
|------
SignTimeAfter
|
|------
Certroot *1
|
|------
Attribute
|
|------
Type *1
|
|-----
"TBS"
|
|-----
"WellKnown"
|
|
|------
Value *1
|------
CertEKU
|
|------
Attribute
|
|------
ID *1
|------
CertIssuer
|
|------
Attribute
|
|------
Value *1
|------
CertPublisher
|
|------
Attribute
|
|------
Value *1
|------
CertOemID
|
|------
Attribute
|
|------
Value *1
|------
FileAttribRef
|------
Attribute
|------
RuleID *1
*1 = Required
Signers Elements and Attributes
Element Names
Attribute Names
Description
Signers
A collection of Signer elements that define individual signers trusted to sign applications and drivers.
Signer
Name
Specifies the name of the signer.
ID
Unique identifier for the signer.
SignTimeAfter
Specifying the time after which the signer's certificate is valid.
CertRoot
Type
Specifies the root certificate for a signer.
(Required)
Value
Specifies the value of the root certificate in hexBinary form.
CertEKU
ID
Specifies the EKU ID.
CertIssuer
Value
Specifies the value of the issuer certificate.
CertPublisher
Value
Specifies the value of the publisher certificate.
CertOemID
Value
Specifies the value of the OEM ID.
FileAttribRef
RuleID
References a file attribute rule through its ID.
<!-- Other policy elements here -->
<FileRules>
<FileAttrib ID="ID_FILEATTRIB_A_2" FriendlyName="Allow files based on file attributes: 132.0.6834.111 and chrome.exe" FileName="*" MinimumFileVersion="132.0.6834.111"/>
<FileAttrib ID="ID_FILEATTRIB_A_1_1_0" FriendlyName="Deny files based on file attributes: 21.4.7.25431 and SNAGIT32.EXE" FileName="*" MinimumFileVersion="21.4.7.25431"/>
The <SigningScenarios> element is used to define the different scenarios in which code signing is required or trusted. These scenarios specify the conditions under which code must be signed to be considered valid and executable. By configuring <SigningScenarios>, organizations can enforce code signing policies that ensure only authorized and trusted code is allowed to run. This helps in maintaining the integrity and security of the system by preventing the execution of unauthorized or malicious code.
SigningScenarios
|
SigningScenario
|----------
Attributes
|
|----------
ID *1
|
|----------
FriendlyName
|
|----------
Value *1
|
|----------
InheritedScenarios
|
|----------
MinimumHashAlgorithm
|
|----------
ProductSigners *1
|
|----------
AllowedSigners
|
|
|---------------
Attributes
|
|
|
|---------
Workaround
|
|
|
|
|
|---------------
AllowedSigner
|
|
|---------
Attributes
|
|
|
|-------
SignerId
|
|
|
|
|
|---------
ExceptDenyRule
|
|
|-------
Attributes
|
|----------
DeniedSigners
|-------
DenyRuleId
|
|
|---------------
Attributes
|
|
|
|---------
Workaround
|
|
|
|
|
|---------------
DeniedSigner
|
|
|---------
Attributes
|
|
|
|-------
SignerId
|
|
|
|
|
|---------
ExceptAllowRule
|
|
|-------
Attributes
|
|----------
FileRulesRef
|-------
AllowRuleId
|
|---------------
Atributes
|
|
|---------
Workaround
|
|
|
|---------------
FileRuleRef
|
|---------
RuleId
|
|----------
TestSigners
|
|----------
AllowedSigners
|
|
|---------------
Attributes
|
|
|
|---------
Workaround
|
|
|
|
|
|---------------
AllowedSigner
|
|
|---------
Attributes
|
|
|
|-------
SignerId
|
|
|
|
|
|---------
ExceptDenyRule
|
|
|-------
Attributes
|
|----------
DeniedSigners
|-------
DenyRuleId
|
|
|---------------
Attributes
|
|
|
|---------
Workaround
|
|
|
|
|
|---------------
DeniedSigner
|
|
|---------
Attributes
|
|
|
|-------
SignerId
|
|
|
|
|
|---------
ExceptAllowRule
|
|
|-------
Attributes
|
|----------
FileRulesRef
|-------
AllowRuleId
|
|---------------
Atributes
|
|
|---------
Workaround
|
FileRuleRef
|
|---------------
Atributes
|
|
|---------
Workaround
|
|
|
|---------------
FileRuleRef
|
|---------
RuleId
|
|----------
TestSigningSigners
|
|----------
AllowedSigners
|
|
|---------------
Attributes
|
|
|
|---------
Workaround
|
|
|
|
|
|---------------
AllowedSigner
|
|
|---------
Attributes
|
|
|
|-------
SignerId
|
|
|
|
|
|---------
ExceptDenyRule
|
|
|-------
Attributes
|
|----------
DeniedSigners
|-------
DenyRuleId
|
|
|---------------
Attributes
|
|
|
|---------
Workaround
|
|
|
|
|
|---------------
DeniedSigner
|
|
|---------
Attributes
|
|
|
|-------
SignerId
|
|
|
|
|
|---------
ExceptAllowRule
|
|
|-------
Attributes
|
|----------
FileRulesRef
|-------
AllowRuleId
|
|---------------
Atributes
|
|
|---------
Workaround
|
FileRuleRef
|
|---------------
Atributes
|
|
|---------
Workaround
|
|
|
|---------------
FileRuleRef
|
|---------
RuleId
|
|----------
AppIDTags
|----------
Attributes
|
|---------------
EnforceDLL
|
|----------
AppIDTag
|---------------
Attributes
|---------
Key
|---------
Value
*1 = Required
SigningScenarios Elements and Attributes
Element Names
Nested Elements
Attribute Name
Description
SigningScenarios
ID
A unique identifier for the signing scenario.
FriendlyName
Helps in easily identifying and managing the signing scenario.
InheritedScenarios
Allows the signing scenario to inherit rules and settings from other defined scenarios, promoting reuse and consistency.
MinimumHashAlgorithm
Ensures that only cryptographic hashes meeting the specified algorithm criteria are considered valid.
Value
Required and defines the specific context or condition under which the signing scenario applies.
ProductSigners,
TestSigners, TestSigningSigners
AllowedSigners
WorkAround
Provides flexibility in handling specific scenarios or exceptions that may not be directly addressed by the standard schema definitions, allowing for customized solutions to unique challenges.
AllowedSigner
SignerId
Each signer can be distinctly recognized and referenced within the ACfB policy, allowing for precise control over which signers are trusted or denied.
AllowedSigner/ExceptDenyRule
DenyRuleId
Used in the ExceptDenyRule element to reference a specific deny rule, making the allow rule conditional based on the deny rule.
DeniedSigners
WorkAround
Provides flexibility in handling specific scenarios or exceptions that may not be directly addressed by the standard schema definitions, allowing for customized solutions to unique challenges.
DeniedSigner
SignerId
Used in the AllowedSigner and DeniedSigner elements to distinctly recognize and reference each signer.
DeniedSigner/ExceptAllowRule
AllowRuleId
Specification of the AllowRuleId.
FileRulesRef
Workaround
Provides flexibility in handling specific scenarios or exceptions that may not be directly addressed by the standard schema definitions, allowing for customized solutions to unique challenges.
FileRuleRef
RuleId
Specifies the ID of the file rule.
AppIDTags
EnforceDLL
If enabled ensures that only trusted DLLs are allowed to load.
AddIDTag
Key
Specifies the key for the application ID tag.
Value
Specifies the value for the application ID tag.
CiSigners
<CiSigners> are signers that ConfigCI asks CI to trust for all builds, including retail builds.
Normally CiSigners is empty or only includes production signers. For enterprise ConfigCI policy, you may need to include enterprise signers. Just make sure it is understood that CiSigners will be trusted by CI for ALL builds.
CiSigners
|------
CiSigner *1
|------
Attribute
|------
SignerId
*1 = Required
Element Names
Attribute Names
Description
CiSigners
A collection of CiSigner elements.
CiSigner
SignerId
To distinctly recognize and reference each signer within the ACfB policy.
The <Settings> sub-element is used to define various configuration settings for the policy. These settings can include options such as enabling or disabling specific features, setting enforcement levels, and other parameters that control the behavior of the policy. By configuring <Settings>, organizations can customize the policy to meet their specific security requirements and operational needs. This helps in ensuring that the policy is applied in a manner that aligns with the organization's security objectives and operational practices.
Settings
|-----
Setting
|-----
Attribute
|
|-----
Provider *1
|
|-----
Key *1
|
|-----
ValueName *1
|
|-----
Value
|-----
SettingValueType *1
|------------
BooleanType
|------------
DWordType
|------------
xs:hexBinary
|------------
xs:string
*1 = Required
Settings, Elements, Attributes and SettingValueType
Element Names
Attribute Names
Description
Settings
Collection of Setting(s).
Setting
Provider
Specifies the source or context of the setting.
Required
Key
Defines the category or type of information the setting pertains to.
Required
ValueName
Specifies the name of the specific value being set.
Required
Setting/Value/SettingValueType
Required
BooleanType
Represents a Boolean value, which can be either true or false.
DWordType
Represents a double word (32-bit unsigned integer) value.
The <EKUs> sub-element is used to define the Extended Key Usage (EKU) attributes for certificates. EKUs specify the purposes for which the certificate's public key can be used, such as code signing, server authentication, and client authentication. By specifying EKUs, organizations can ensure that certificates are only used for their intended purposes, enhancing security and trust in digital communications.
EKUs
|----
EKU
|----
Attributes
|------
ID *1
|------
Value *1
|------
FriendlyName
*1 = Required
EKUs Elements and Attributes
Element Names
Attribute Names
Description
EKUs
Collection of EKU(s)
EKU
ID
A unique identifier for the Extended Key Usage.
Required
Value
Specifies the value of the EKU in hexBinary form.
Required
FriendlyName
An optional user-friendly name for the EKU.
<!-- Other policy elements here -->
<EKUs>
<EKU ID="ID_EKU_STORE" FriendlyName="Windows Store EKU - 1.3.6.1.4.1.311.76.3.1 Windows Store" Value="010a2b0601040182374c0301"/>
</EKUs>
<!-- Other policy elements here -->
UpdatePolicySigners
The <UpdatePolicySigners> sub-element is used to define the code signing certificates that are trusted for updating policy files. This ensures that only authorized entities can make changes to the policy, enhancing the security and integrity of the system. By specifying trusted signers, organizations can prevent unauthorized modifications and maintain control over policy updates.
updatepolicysigners
|---------
updatepolicysigner
|---------
Attribute
|-----
SignerId
UpdatePolicySigner Elements and Attributes
Element Names
Attribute Names
Description
UpdatePolicySigners
Collection of UpdatePolicySigner(s)
UpdatePolicySigner
SignerId
A unique identifier for the signer. This attribute ensures that each signer authorized to update the ACfB policy can be distinctly recognized and referenced, allowing for precise control over which signers are trusted to make policy updates.
The <HvciOptions> sub-element is used to define the Hypervisor-protected Code Integrity (HVCI) settings. Hypervisor-Protected Code Integrity (HVCI) leverages virtualization-based security (VBS) to ensure that only trusted code runs in kernel mode, providing an additional layer of protection against malware and other threats. HVCI uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust for the operating system. This isolated environment ensures that kernel mode code integrity checks are performed within a secure context, preventing unauthorized code from executing. This helps in preventing unauthorized code from executing, thereby maintaining the integrity and security of the operating environment.
HVCIOptions
Element Name
Description
HVCIOptions
A friendly name for the HVCI option.
The <HvciOptions> element expects a numeric value that represents the specific configuration settings. Here’s a detailed explanation:
Possible Values for HvciOptions
Enabled (Value: 1): Turns on HVCI, ensuring that only trusted code can run at the hypervisor level.
Strict (Value: 2): Enforces stricter code integrity checks, providing an additional layer of security.
DebugMode (Value: 4): Enables debugging features for HVCI, useful for development and troubleshooting.
DisableAllowed (Value: 8): Allows HVCI to be disabled by the user outside of the Code Integrity policy enablement method.
These values can be combined using bitwise OR operations to enable multiple settings simultaneously.
<!-- Other policy elements here -->
<HvciOptions>2</HvciOptions>
<!-- Other policy elements here -->
Macros
A collection of macro definitions that can be used throughout the policy. Macros allow for text substitution, making it easier to manage and update policy configurations by using predefined values. Each macro is defined within a Macro element, which includes an ID and a value. By using macros, administrators can simplify the policy management process and ensure consistency across different policy elements.
Macros
|-----
Macro
|
|-----
Attributes
|
|
|-----
Id *1
|
|
|-----
Value *1
|
|
|
|-----
Annotations
|
|-------
Documentation
|
|---------
(A Macro element defines a text substitution macro that can be used in other elements. Macros are referenced using NMAKE syntax, i.e. $(runtime.windows).)
|
|---------
(Required. The Id for this macro, used in macro references. For example, if the Id for this macro is "runtime.windows", the macro would be referenced as $(runtime.windows).)
|
|---------
(Required. The value that will be substituted for macro references in macro-enabled XML attributes.)
|
|-----
UniqueMacroId
|----------------
Selector (xpath="ps:Macro")
|----------------
Field (xpath="@Id")
*1 = Required
Macros Elements and Constraints
Element Names
Attribute Names
Description
Macro
Id
Used in macro references, allowing the macro to be called by its ID in other elements, ensuring consistency and ease of management.
Required
Value
Specifies the text to be substituted for macro references. This ensures that the defined value is consistently used wherever the macro is referenced, simplifying updates and maintenance.
Required
“Macros” Constraints
UniqueMacroId
Specifies the unique constraint's name, which in this case is UniqueMacroId. It ensures that each macro ID within the Macros element is unique, preventing duplication.
Selector
Defines the XPath expression used to select the elements to which the unique constraint applies. In this case, it selects the Macro elements within the Macros element.
Field
Specifies the field within the selected elements that must be unique. Here, it ensures that the Id attribute of each Macro element is unique within the Macros element.
SupplementalPolicySigners
The <SupplementalPolicySigners> element defines a collection of signers that are trusted to sign supplemental policies. Supplemental policies are additional policies that extend or modify the base policy, allowing for more granular and flexible control over application execution. The <SupplementalPolicySigners> element ensures that only authorized entities can create or update these supplemental policies, maintaining the integrity and security of the overall policy framework
SupplementalPolicySigners
|----------------
SupplementalPolicySigner
|----------------
Attributes
|-------
SignerId *1
*1 = Required
SupplementalPolicySigners Elements and Attributes
Element Names
Attribute Names
Description
SupplementalPolicySigner
Collection of Collection of SupplementalPolicySigner(s)
SignerId
A unique identifier for the signer. Ensures that each signer authorized to sign supplemental policies can be distinctly recognized and referenced, allowing for precise control over which signers are trusted to create or update supplemental policies
Required
Schema Definition (CiPolicy.xsd - 1/27/2025) and location
The current schema definition can be found on a Windows 11 device at:
C:\Windows\schemas\CodeIntegrity\cipolicy.xsd
ACfB Example Policy locations
On Windows 11, ACfB example policies are saved in the following locations:
These example policies can be used as a starting point to create custom policies for your organization's needs.
By implementing a well-structured and ordered schema, organizations can create a secure and efficient environment, much like how Raven's schema keeps her safe and happy in our backyard.
Thank you! I am using wizard to create first base policy and first supplemental policy. There are lots of choices to make and I am trying to keep from making a choice with "unintended consequences". Having this more detailed explanation of file structure and choices in wizard has been helpful today.
"}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/tags/TagView/TagViewChip\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserRegistrationDate\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserRegistrationDate-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeDescription\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageListMenu\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageListMenu-1745505307000"}],"message({\"id\":\"message:4399218\"})":{"__ref":"BlogReplyMessage:message:4399218"},"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1745505307000"}]},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Deleted","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":null,"possibleValues":["en-US","es-ES"]},"repliesSortOrder":{"__typename":"InheritableStringSettingWithPossibleValues","key":"config.user_replies_sort_order","value":"DEFAULT","localValue":"DEFAULT","possibleValues":["DEFAULT","LIKES","PUBLISH_TIME","REVERSE_PUBLISH_TIME"]}},"deleted":false},"CachedAsset:pages-1747140122235":{"__typename":"CachedAsset","id":"pages-1747140122235","value":[{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"HealthCheckPage","type":"COMMUNITY","urlPath":"/health","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1747140122235,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}","userBanned":"We're sorry, but you have been banned from using this site.","userBannedReason":"You have been banned for the following reason: {reason}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc","height":512,"width":512,"mimeType":"image/png"},"Rank:rank:4":{"__typename":"Rank","id":"rank:4","position":6,"name":"Microsoft","color":"333333","icon":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\"}"},"rankStyle":"OUTLINE"},"User:user:91092":{"__typename":"User","id":"user:91092","uid":91092,"login":"paulberg","deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS05MTA5Mi02MjUxMzNpQkUwOTY4QTBBNzdFMDhBNw"},"rank":{"__ref":"Rank:rank:4"},"email":"","messagesCount":24,"biography":null,"topicsCount":10,"kudosReceivedCount":46,"kudosGivenCount":1,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2017-10-30T09:50:54.001-07:00","confirmEmailStatus":null},"followersCount":null,"solutionsCount":0},"Category:category:cis":{"__typename":"Category","id":"category:cis","entityType":"CATEGORY","displayId":"cis","nodeType":"category","depth":4,"title":"Core Infrastructure and Security","shortTitle":"Core Infrastructure and Security","parent":{"__ref":"Category:category:microsoft-security"}},"Category:category:top":{"__typename":"Category","id":"category:top","entityType":"CATEGORY","displayId":"top","nodeType":"category","depth":0,"title":"Top","shortTitle":"Top"},"Category:category:communities":{"__typename":"Category","id":"category:communities","entityType":"CATEGORY","displayId":"communities","nodeType":"category","depth":1,"parent":{"__ref":"Category:category:top"},"title":"Communities","shortTitle":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","entityType":"CATEGORY","displayId":"products-services","nodeType":"category","depth":2,"parent":{"__ref":"Category:category:communities"},"title":"Products","shortTitle":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","entityType":"CATEGORY","displayId":"microsoft-security","nodeType":"category","depth":3,"parent":{"__ref":"Category:category:products-services"},"title":"Microsoft Security","shortTitle":"Microsoft Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:CoreInfrastructureandSecurityBlog":{"__typename":"Blog","id":"board:CoreInfrastructureandSecurityBlog","entityType":"BLOG","displayId":"CoreInfrastructureandSecurityBlog","nodeType":"board","depth":5,"conversationStyle":"BLOG","repliesProperties":{"__typename":"RepliesProperties","sortOrder":"REVERSE_PUBLISH_TIME","repliesFormat":"threaded"},"tagProperties":{"__typename":"TagNodeProperties","tagsEnabled":{"__typename":"PolicyResult","failureReason":null}},"requireTags":true,"tagType":"FREEFORM_ONLY","description":"","title":"Core Infrastructure and Security Blog","shortTitle":"Core Infrastructure and Security Blog","parent":{"__ref":"Category:category:cis"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":{"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:cis"}}]},"userContext":{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"theme":{"__ref":"Theme:customTheme1"},"boardPolicies":{"__typename":"BoardPolicies","canViewSpamDashBoard":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","key":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","args":[]}},"canArchiveMessage":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","key":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","args":[]}},"canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","args":[]}}},"eventPath":"category:cis/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:CoreInfrastructureandSecurityBlog/"},"BlogTopicMessage:message:4386252":{"__typename":"BlogTopicMessage","uid":4386252,"subject":"Application Control for Business, Schema Definition","id":"message:4386252","revisionNum":7,"repliesCount":1,"author":{"__ref":"User:user:91092"},"depth":0,"hasGivenKudo":false,"board":{"__ref":"Blog:board:CoreInfrastructureandSecurityBlog"},"conversation":{"__ref":"Conversation:conversation:4386252"},"messagePolicies":{"__typename":"MessagePolicies","canPublishArticleOnEdit":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","args":[]}},"canModerateSpamMessage":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","key":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","args":[]}}},"contentWorkflow":{"__typename":"ContentWorkflow","state":"PUBLISH","scheduledPublishTime":null,"scheduledTimezone":null,"userContext":{"__typename":"MessageWorkflowContext","canSubmitForReview":null,"canEdit":false,"canRecall":null,"canSubmitForPublication":null,"canReturnToAuthor":null,"canPublish":null,"canReturnToReview":null,"canSchedule":false},"shortScheduledTimezone":null},"readOnly":false,"editFrozen":false,"moderationData":{"__ref":"ModerationData:moderation_data:4386252"},"teaser":"","body":"
Watching my miniature schnauzer, Raven, explore my backyard, I’m reminded of the importance of having a clear set of rules and guidelines. Just like Raven has her own schema to navigate her environment—knowing where she can wander, where she shouldn't venture, and how to interact. Application Control for Business (ACfB) provides a robust schema to help organizations manage and secure their digital landscapes.
\n
Note: ACfB has also been known as Windows Defender Application Control (WDAC), Application Control for Windows and Code Integrity.
In Raven's serene world, her schema might look something like this:
\n
\n
Safe Zones: The grassy lawn where she can leisurely sniff around and her favorite shady spot under the tree.
\n
Restricted Zones: The delicate garden beds and the tempting koi pond, which are off-limits to her curious paws.
\n
Behavior Rules: Guidelines for greeting other animals and people, ensuring she remains the friendly neighborhood pup.
\n
\n
Similarly, ACfB's schema defines the rules and guidelines for managing applications and code within an organization:
\n
\n
Approved Applications: Software that is allowed to run, ensuring it is safe and trusted.
\n
Restricted Applications: Programs that are blocked from execution to prevent potential security threats.
\n
Execution Rules: Policies that dictate how applications can interact with the system, ensuring a secure and controlled environment.
\n
\n
For Raven, following her schema with precision is key. It keeps her out of trouble and ensures she enjoys her outdoor time without any mishaps. The order of her schema is equally important. She needs to know the safe zones before understanding the restricted ones, and she must learn the behavior rules to interact safely with others.
\n
Similarly, for organizations, adhering to ACfB's schema is crucial. It ensures that only approved applications run, restricted applications are blocked, and execution rules are followed, maintaining a secure and efficient digital landscape.
\n
Similarly, ACfB's schema defines precise rules for applications, ensuring that only trusted software runs on your systems, protecting against malicious code and unauthorized access. The order in which these rules and policies are defined is critical. Just as Raven's schema order helps her navigate her environment effectively, the correct order of elements in the ACfB schema ensures that the policy is correctly interpreted and enforced.
\n
\n
Application Control for Business - Schema Overview
\n
The ACfB schema provides a comprehensive framework for defining rules and policies that control which applications are allowed to run on your systems. It ensures that only trusted applications are executed, enhancing security and compliance.
\n
XML Structure Overview
\n
The XML structure used in the schema provides a high-level view of how the elements and attributes are organized. This structure ensures that the policy is correctly interpreted and enforced by Application Control for Business.
\n
Policy Information
\n
This section includes metadata about the policy, such as its name, ID, version, and description. It provides essential information for identifying and managing different policies.
\n
SiPolicy Elements (Policy controls)
\n
Detailed descriptions of the elements that control the policy, such as rules for allowing or blocking applications. These elements define the core functionality of the policy.
\n
Rules
\n
Definitions of the various rules that can be applied within the policy, specifying what is allowed or denied. These rules are crucial for controlling application behavior.
\n
FileRules
\n
Specific rules related to files, including how they are identified and controlled. This section ensures that only trusted files are allowed to execute.
\n
Signers
\n
Information about the entities that sign the applications, ensuring they are trusted. This section is crucial for maintaining the integrity and trustworthiness of applications.
\n
SigningScenarios
\n
Different scenarios in which signing is used, providing context for when and how applications should be signed. This section helps ensure that signing practices are consistently applied.
\n
CiSigners
\n
Information about code integrity signers, who are responsible for ensuring the integrity of the code. This section is crucial for maintaining code integrity.
\n
Settings
\n
General settings for the policy, including various configuration options. These settings control the overall behavior of the policy.
\n
EKUs
\n
Extended Key Usages, which specify the purposes for which a certificate can be used. This section ensures that certificates are used appropriately.
\n
UpdatePolicySigners
\n
Information about the signers who are authorized to update the policy. This section ensures that only trusted entities can modify the policy.
\n
HVCIOptions
\n
Detailed descriptions of the hypervisor-protected code integrity options. These details define the characteristics and configurations of each option.
\n
Macros
\n
Definitions of macros used within the policy, allowing for reusable configurations. This section provides flexibility and efficiency in policy management.
\n
SupplementalPolicySigners
\n
Information about additional signers who can supplement the main policy. This section ensures that the policy can be extended and updated as needed.
\n
SupplementalPolicySigners Elements and Attributes
\n
\n
Application Control for Business Schema
\n
The ACfB schema, as defined in the provided file (CiPolicy.xsd), is a comprehensive XML schema that outlines the structure and rules for creating and managing security policies within the Application Control for Business framework. This schema includes various elements and attributes that specify how policies are constructed, validated, and enforced. Key components of the schema include definitions for file rules, signers, signing scenarios, and policy settings, each with specific attributes and nested elements that provide detailed control over the security configurations.
\n
The primary purpose of the ACfB schema is to enhance the security posture of Windows environments by ensuring that only trusted and verified code is allowed to execute. By defining rules for allowing or denying specific files, managing trusted signers, and specifying conditions under which certain policies apply, the ACfB schema helps administrators create granular and flexible security policies. These policies protect against unauthorized code execution, maintain system integrity, and ensure compliance with organizational security standards.
\n
\n
Application Control Bypass
\n
ACfB provides the ability to lock down endpoints effectively, but there are some potential bypasses that need to be addressed. Certain legitimate applications, such as powershell.exe, msbuild.exe, and wscript.exe, can be exploited by attackers to circumvent these controls. Blocking these applications is recommended unless they are absolutely necessary for business operations.
\n
Additionally, keeping software up to date is crucial to mitigate vulnerabilities. For instance, older versions of BGInfo are vulnerable and should be blocked, while the latest version has resolved these security issues. The security community has been instrumental in identifying these vulnerabilities and helping to protect users. Following these recommendations is vital to ensure our systems remain secure.
\n
For complete details, please refer to the full article on Microsoft's website:
An ACfB policy XML file consists of several key sections:
\n
\n
Policy Information: Metadata about the policy.
\n
Rules: Definitions of what is allowed or denied.
\n
File Rules: Specific rules for files and applications.
\n
Signing Rules: Rules for signed applications and drivers.
\n
\n
\n
Policy Information
\n
The <SiPolicy> Root Element is used to define the overall security policy for the system. This element encompasses various configurations and settings that dictate how the security policy is enforced. It includes details such as policy type, policy rules, and other critical parameters that ensure the integrity and security of the system. By configuring <SiPolicy>, organizations can establish a comprehensive security framework that governs the behavior of applications and code execution on the system.
\n
\n
SiPolicy
\n
\n
|-----
\n
\n
Attributes
\n
\n
|
\n
\n
|-----
\n
\n
FriendlyName
\n
\n
|
\n
\n
|-----
\n
\n
PolicyType
\n
\n
|
\n
\n
|------------------------
\n
\n
\"Base Policy\"
\n
\n
|
\n
\n
|------------------------
\n
\n
\"Supplemental Policy\"
\n
\n
|
\n
\n
|------------------------
\n
\n
\"AppID Tagging Policy\"
\n
\n
|
\n
\n
|-----
\n
\n
Elements
\n
\n
|-----
\n
\n
VersionEx *1, *2
\n
\n
|-----
\n
\n
PolicyTypeID *2
\n
\n
|-----
\n
\n
PlatformID *1, *2
\n
\n
|-----
\n
\n
PolicyID * 2
\n
\n
|-----
\n
\n
BasePolicyID *2
\n
\n
|-----
\n
\n
Rules
\n
\n
|----- Rule
\n
\n
|-----
\n
\n
EKUs
\n
\n
|-----
\n
\n
FileRules
\n
\n
|-----
\n
\n
Signers
\n
\n
|-----
\n
\n
SigningScenarios
\n
\n
|-----
\n
\n
UpdatePolicySigners
\n
\n
|-----
\n
\n
CiSigners
\n
\n
|-----
\n
\n
HvciOptions
\n
\n
|-----
\n
\n
Settings
\n
\n
|-----
\n
\n
Macros
\n
\n
|-----
\n
\n
SupplementalPolicySigners
\n
\n
|-----
\n
\n
AppSettings
\n
\n
*1 - Required
\n
\n
*2 - These elements are used for defining and managing the ACfB policies on an endpoint.
\n
\n
\n
SiPolicy Elements (Policy controls)
\n
\n
Element Names
\n
\n
Description
\n
\n
VersionEx
\n
\n
Specifies the extended version of the policy.
\n
\n
PolicyTypeID
\n
\n
Used to uniquely identify and manage different types of polices
\n
\n
PolicyID
\n
\n
The unique identifier for the policy.
\n
\n
BasePolicyID
\n
\n
The GUID of the base policy, if applicable.
\n
\n
PlatformID
\n
\n
The identifier for the platform the policy applies to.
There are a total of 17 sub-elements available under <SiPolicy> in a ACfB policy XML file.
\n
\n
\n
Element Names
\n
\n
Description
\n
\n
Notes
\n
\n
<VersionEx>
\n
\n
Specifies the version of the System Integrity policy.
\n
\n
Required
\n
\n
<PolicyTypeID>
\n
\n
Unique identifier for the policy type.
\n
\n
<PlatformID>
\n
\n
Unique identifier for the platform.
\n
\n
Required
\n
\n
<PolicyID>
\n
\n
Unique identifier for the policy.
\n
\n
<BasePolicyID>
\n
\n
Unique identifier for the base policy.
\n
\n
<Rules>
\n
\n
The <Rules> sub-element is used to define various options and settings related to the rules enforced by the policy. These options can include configurations such as enabling or disabling specific rule types, setting enforcement levels, and other parameters that control how the rules are applied. By configuring <RulesOptions>, organizations can fine-tune the behavior of their security policies to meet specific requirements and ensure that the rules are enforced in a manner that aligns with their security objectives.
\n
\n
Contains a sequence of <Rule> elements defining various policy rules.
\n
\n
<EKUs>
\n
\n
The <EKUs> element defines Extended Key Usage (EKU) settings for the ACfB policy. EKUs specify the purposes for which a certificate can be used, such as code signing or server authentication. This element can include multiple EKU definitions, each specified within an <EKU> element. By defining EKUs, administrators can ensure that only certificates with the appropriate usage attributes are trusted, providing an additional layer of security for the system.
\n
\n
Collection of Extended Key Usage (EKU) elements.
\n
\n
FileRules
\n
\n
The <FileRules> element specifies how applications and drivers are identified and allowed or denied. This element can include rules based on file attributes, hashes, paths, publishers, and certificates. For example, you can allow a specific file by its hash or allow all files in a particular directory. The flexibility of <FileRules> allows administrators to create granular policies that precisely control which files are permitted to execute, enhancing the security posture of the system.
\n
\n
Collection of file rules.
\n
\n
Signers
\n
\n
The <Signers> element defines trusted signers for applications and drivers. This element can include various types of signers, such as FilePublisher, LeafCertificate, PcaCertificate, and RootCertificate. Each signer type specifies different levels of trust, from individual files to entire certificate chains. By defining trusted signers, administrators can ensure that only applications and drivers signed by recognized entities are allowed to run, reducing the risk of malware and unauthorized software.
\n
\n
Collection of signers.
\n
\n
SigningScenarios
\n
\n
The <SigningScenarios> element specifies different scenarios under which signing rules apply. This element can include scenarios for drivers, Windows components, and other specific use cases. Each scenario is defined within a <SigningScenario> element, which includes details such as the scenario value, ID, and friendly name. By defining signing scenarios, administrators can create policies that apply different rules based on the context in which an application or driver is executed, providing more nuanced control over software execution.
\n
\n
Collection of signing scenarios.
\n
\n
UpdatePolicySigners
\n
\n
The <UpdatePolicySigners> element defines signers that are trusted to update the ACfB policy. This element can include various types of signers, such as FilePublisher, LeafCertificate, PcaCertificate, and RootCertificate. By specifying trusted update policy signers, administrators can ensure that only authorized entities can modify the ACfB policy, preventing unauthorized changes that could compromise the security of the system.
\n
\n
Collection of signers for system integrity policy updating.
\n
\n
CiSigners
\n
\n
The <CiSigners> element defines Code Integrity signers that are trusted for all builds, including retail builds. This element is typically used to include enterprise signers or production signers that are trusted across the organization. By specifying trusted Code Integrity signers, administrators can ensure that only code signed by recognized entities is allowed to run, enhancing the overall security of the system.
\n
\n
Collection of signers trusted for CI signing levels.
\n
\n
HvciOptions
\n
\n
Hypervisor-Protected Code Integrity (HVCI) leverages virtualization-based security (VBS) to ensure that only trusted code runs in kernel mode
\n
\n
Specifies (HVCI) settings.
\n
\n
Settings
\n
\n
The <Settings> element includes additional settings for the ACfB policy. This element can define various configuration options, such as policy information, enterprise-defined settings, and other custom settings. Each setting is specified within a <Setting> element, which includes details such as the provider, key, value name, and value. By configuring these settings, administrators can customize the behavior of the ACfB policy to meet the specific needs of their organization.
\n
\n
Collection of setting elements.
\n
\n
Macros
\n
\n
The <Macros> element defines a collection of macro definitions that can be used throughout the policy. Macros allow for text substitution, making it easier to manage and update policy configurations. Each macro is defined within a <Macro> element, which includes an ID and a value. By using macros, administrators can simplify the policy management process and ensure consistency across different policy elements.
\n
\n
Collection of macro definitions.
\n
\n
SupplementalPolicySigners
\n
\n
The <SupplementalPolicySigners> element defines a collection of signers for supplemental policies. These signers are trusted to sign additional policies that extend or modify the base policy. By specifying supplemental policy signers, administrators can ensure that only authorized entities can create or update supplemental policies, maintaining the integrity and security of the overall policy framework.
\n
\n
Collection of signers for supplemental policies.
\n
\n
AppSettings
\n
\n
The <AppSettings> element defines a collection of application settings. These settings can include various configuration options specific to applications, such as manifest paths and custom settings. Each application setting is defined within an <App> element, which includes details such as the manifest path and individual settings. By configuring application settings, administrators can tailor the behavior of specific applications to meet organizational requirements.
The <Rules> sub-element is used to organize and manage various rules within the policy. It contains a sequence of <Rule> elements, each defined by the Rules complex type. These rules specify configurations such as enabling or disabling specific options, setting enforcement levels, and other parameters that control how the rules are applied. By configuring the <Rules> sub-element, organizations can fine-tune the behavior of their security policies to meet specific requirements and ensure that the rules are enforced in a manner that aligns with their security objectives.
\n
\n
Rules
\n
\n
|------
\n
\n
Rule
\n
\n
|------
\n
\n
RuleType
\n
\n
|------
\n
\n
Option
\n
\n
|------
\n
\n
Enabled:UMCI
\n
\n
|------
\n
\n
Enabled:Boot Menu Protection
\n
\n
|------
\n
\n
Enabled:Intelligent Security Graph Authorization
\n
\n
|------
\n
\n
Enabled:Invalidate EAs on Reboot
\n
\n
|------
\n
\n
Required:WHQL
\n
\n
|------
\n
\n
Enabled:Developer Mode Dynamic Code Trust
\n
\n
|------
\n
\n
Enabled:Allow Supplemental Policies
\n
\n
|------
\n
\n
Disabled:Runtime FilePath Rule Protection
\n
\n
|------
\n
\n
Enabled:Revoked Expired As Unsigned
\n
\n
|------
\n
\n
Enabled:Audit Mode
\n
\n
|------
\n
\n
Disabled:Flight Signing
\n
\n
|------
\n
\n
Enabled:Inherit Default Policy
\n
\n
|------
\n
\n
Enabled:Unsigned System Integrity Policy
\n
\n
|------
\n
\n
Enabled:Dynamic Code Security
\n
\n
|------
\n
\n
Required:EV Signers
\n
\n
|------
\n
\n
Enabled:Boot Audit On Failure
\n
\n
|------
\n
\n
Enabled:Advanced Boot Options Menu
\n
\n
|------
\n
\n
Disabled:Script Enforcement
\n
\n
|------
\n
\n
Required:Enforce Store Applications
\n
\n
|------
\n
\n
Enabled:Secure Setting Policy
\n
\n
|------
\n
\n
Enabled:Managed Installer
\n
\n
|------
\n
\n
Enabled:Update Policy No Reboot
\n
\n
|------
\n
\n
Enabled:Conditional Windows Lockdown Policy
\n
\n
\n
Rules Options
\n
\n
Option Types
\n
\n
Description
\n
\n
Enabled:UMCI
\n
\n
Enables User Mode Code Integrity (UMCI), ensuring that only trusted code runs in user mode.
\n
\n
Enabled:Boot Menu Protection
\n
\n
Enables protection for the boot menu, preventing unauthorized changes to boot configurations.
\n
\n
Enabled:Intelligent Security Graph Authorization
\n
\n
Utilizes the Intelligent Security Graph to authorize applications, enhancing security by leveraging Microsoft's threat intelligence.
\n
\n
Enabled:Invalidate EAs on Reboot
\n
\n
Invalidates Extended Attributes (EAs) on reboot, ensuring that any changes to EAs are not persistent across reboots.
\n
\n
Required:WHQL
\n
\n
Requires that drivers are Windows Hardware Quality Labs (WHQL) certified, ensuring they meet Microsoft's quality standards.
\n
\n
Enabled:Developer Mode Dynamic Code Trust
\n
\n
Enables dynamic code trust for developer mode, allowing developers to run and test code that may not be signed.
\n
\n
Enabled:Allow Supplemental Policies
\n
\n
Allows the use of supplemental policies, which can extend or modify the base policy.
\n
\n
Disabled:Runtime FilePath Rule Protection
\n
\n
Disables runtime protection for file path rules, potentially reducing security but allowing more flexibility.
\n
\n
Enabled:Revoked Expired As Unsigned
\n
\n
Treats revoked or expired certificates as unsigned, preventing code signed with such certificates from running.
\n
\n
Enabled:Audit Mode
\n
\n
Enables audit mode, which logs policy violations without enforcing them, useful for testing and monitoring.
\n
\n
Disabled:Flight Signing
\n
\n
Disables flight signing, which is used for pre-release software testing.
\n
\n
Enabled:Inherit Default Policy
\n
\n
Allows the policy to inherit settings from the default policy, ensuring consistency and reducing configuration effort.
\n
\n
Enabled:Unsigned System Integrity Policy
\n
\n
Enables the use of unsigned system integrity policies, which can be useful in certain testing or development scenarios.
\n
\n
Enabled:Dynamic Code Security
\n
\n
Enhances security by enabling dynamic code security measures, which help protect against runtime code modifications.
\n
\n
Required:EV Signers
\n
\n
Requires Extended Validation (EV) certificates for code signing, providing a higher level of trust.
\n
\n
Enabled:Boot Audit On Failure
\n
\n
Enables auditing of boot failures, helping to diagnose and troubleshoot boot issues.
\n
\n
Enabled:Advanced Boot Options Menu
\n
\n
Enables the advanced boot options menu, providing additional boot options for troubleshooting and recovery.
\n
\n
Disabled:Script Enforcement
\n
\n
Disables enforcement of script policies, allowing scripts to run without being subject to policy restrictions.
\n
\n
Required:Enforce Store Applications
\n
\n
Requires that only applications from the Microsoft Store are allowed to run, enhancing security by restricting software sources.
\n
\n
Enabled:Secure Setting Policy
\n
\n
Enables secure setting policies, which enforce additional security settings.
\n
\n
Enabled:Managed Installer
\n
\n
Allows the use of a managed installer, which can install and manage applications according to policy.
\n
\n
Enabled:Update Policy No Reboot
\n
\n
Enables policy updates without requiring a reboot, reducing downtime and improving user experience.
\n
\n
Enabled:Conditional Windows Lockdown Policy
\n
\n
Enables conditional lockdown policies, which can enforce stricter security measures based on certain conditions.
\n
\n
\n
<!-- Other policy elements here -->
\n
<Rules>
\n
<Rule>
\n
<Option>Enabled:Unsigned System Integrity Policy</Option>
The <FileRules> sub-element is used to define various options and settings related to file rules enforced by the policy. These options can include configurations such as specifying file types to be monitored, setting enforcement levels for different file operations, and other parameters that control how file rules are applied. By configuring <FileRules>, organizations can customize the behavior of their file security policies to meet specific requirements and ensure that file operations are monitored and controlled in a manner that aligns with their security objectives.
\n
\n
FileRules
\n
\n
|------
\n
\n
Allow
\n
\n
|
\n
\n
|--------
\n
\n
ID *1
\n
\n
|
\n
\n
|--------
\n
\n
FriendlyName
\n
\n
|
\n
\n
|--------
\n
\n
FileName
\n
\n
|
\n
\n
|--------
\n
\n
InternalName
\n
\n
|
\n
\n
|--------
\n
\n
FileDescription
\n
\n
|
\n
\n
|--------
\n
\n
ProductName
\n
\n
|
\n
\n
|--------
\n
\n
PackageFamilyName
\n
\n
|
\n
\n
|--------
\n
\n
PackageVersion
\n
\n
|
\n
\n
|--------
\n
\n
MinimumFileVersion
\n
\n
|
\n
\n
|--------
\n
\n
MaximumFileVersion
\n
\n
|
\n
\n
|--------
\n
\n
Hash
\n
\n
|
\n
\n
|--------
\n
\n
AppIDs
\n
\n
|
\n
\n
|--------
\n
\n
FilePath
\n
\n
|
\n
\n
|------
\n
\n
Deny
\n
\n
|
\n
\n
|--------
\n
\n
ID *1
\n
\n
|
\n
\n
|--------
\n
\n
FriendlyName
\n
\n
|
\n
\n
|--------
\n
\n
FileName
\n
\n
|
\n
\n
|--------
\n
\n
InternalName
\n
\n
|
\n
\n
|--------
\n
\n
FileDescription
\n
\n
|
\n
\n
|--------
\n
\n
ProductName
\n
\n
|
\n
\n
|--------
\n
\n
PackageFamilyName
\n
\n
|
\n
\n
|--------
\n
\n
PackageVersion
\n
\n
|
\n
\n
|--------
\n
\n
MinimumFileVersion
\n
\n
|
\n
\n
|--------
\n
\n
MaximumFileVersion
\n
\n
|
\n
\n
|--------
\n
\n
Hash
\n
\n
|
\n
\n
|--------
\n
\n
AppIDs
\n
\n
|
\n
\n
|--------
\n
\n
FilePath
\n
\n
|
\n
\n
|------
\n
\n
FileAttrib
\n
\n
|
\n
\n
|--------
\n
\n
ID *1
\n
\n
|
\n
\n
|--------
\n
\n
FriendlyName
\n
\n
|
\n
\n
|--------
\n
\n
FileName
\n
\n
|
\n
\n
|--------
\n
\n
InternalName
\n
\n
|
\n
\n
|--------
\n
\n
FileDescription
\n
\n
|
\n
\n
|--------
\n
\n
ProductName
\n
\n
|
\n
\n
|--------
\n
\n
PackageFamilyName
\n
\n
|
\n
\n
|--------
\n
\n
PackageVersion
\n
\n
|
\n
\n
|--------
\n
\n
MinimumFileVersion
\n
\n
|
\n
\n
|--------
\n
\n
MaximumFileVersion
\n
\n
|
\n
\n
|--------
\n
\n
Hash
\n
\n
|
\n
\n
|--------
\n
\n
AppIDs
\n
\n
|
\n
\n
|--------
\n
\n
FilePath
\n
\n
|
\n
\n
|------
\n
\n
FileRule
\n
\n
|--------
\n
\n
ID *1
\n
\n
|--------
\n
\n
FriendlyName
\n
\n
|--------
\n
\n
FileName
\n
\n
|--------
\n
\n
InternalName
\n
\n
|--------
\n
\n
FileDescription
\n
\n
|--------
\n
\n
ProductName
\n
\n
|--------
\n
\n
PackageFamilyName
\n
\n
|--------
\n
\n
PackageVersion
\n
\n
|--------
\n
\n
MinimumFileVersion
\n
\n
|--------
\n
\n
MaximumFileVersion
\n
\n
|--------
\n
\n
Hash
\n
\n
|--------
\n
\n
AppIDs
\n
\n
|--------
\n
\n
FilePath
\n
\n
|--------
\n
\n
Type *1
\n
\n
|-------------------
\n
\n
\"Match\"
\n
\n
|-------------------
\n
\n
\"Exclude\"
\n
\n
|-------------------
\n
\n
\"Attribute\"
\n
\n
*1 = Required
\n
\n
\n
FileRules Elements and Attributes
\n
There are 4 elements and 13 attributes available for FileRules. The elements specify how applications and drivers are identified and allowed or denied based on various attributes within the ACfB policy. The attributes allow administrators to specify criteria based on various properties of files, such as their cryptographic hash, file name, file path, publisher's certificate, and more. This ensures that only trusted and verified files are permitted to execute
\n
\n
Element Names
\n
\n
Attribute Names
\n
\n
Description
\n
\n
Allow
\n
Deny
\n
FileAttrib
\n
FileRule
\n
\n
AppIDs
\n
\n
Application IDs associated with the file, used for additional identification and management.
\n
\n
FileDescription
\n
\n
A description of the file, providing more context about its purpose and usage.
\n
\n
FileName
\n
\n
Specifies the name of the file to allow. Ensures that only files with this exact name are permitted to run.
\n
\n
FilePath
\n
\n
Specifies the path of the file to allow. Ensures that only files located in this specific path are permitted to run.
\n
\n
FriendlyName
\n
\n
A user-friendly name for the rule, making it easier to identify and manage.
\n
\n
Hash
\n
\n
Specifies the cryptographic hash of the file to allow. Provides a high level of security by ensuring that only the exact file with this hash is permitted to run.
\n
\n
ID
\n
\n
Unique identifier for the rule.
\n
(Required)
\n
\n
InternalName
\n
\n
The internal name of the file, often used for additional verification.
\n
\n
MaximumFileVersion
\n
\n
Specifies the maximum version of the file to allow. Prevents the execution of potentially outdated or insecure versions.
\n
\n
MinimumFileVersion
\n
\n
Specifies the minimum version of the file to allow. Ensures that only updated and secure versions are permitted.
\n
\n
PackageFamilyName
\n
\n
The package family name for the file, used to group related files together.
\n
\n
PackageVersion
\n
\n
The version of the package that the file belongs to, ensuring compatibility and version control.
\n
\n
ProductName
\n
\n
The name of the product associated with the file, helping to identify the software it belongs to.
\n
\n
FileRule (only)
\n
\n
Type
\n
\n
Specifies the type of rule being applied, such as Match, Exclude, or Attribute. This attribute defines the condition under which the rule applies, allowing for precise control over how files are identified and managed.
\n
(Required)
\n
\n
\n
<!-- Other policy elements here -->
\n
<FileRules>
\n
<FileAttrib ID=\"ID_FILEATTRIB_A_1\" FriendlyName=\"Allow files based on file attributes: 16.0.18429.20114 and WinWord.exe\" FileName=\"*\" MinimumFileVersion=\"16.0.18429.20114\"/>
\n
<Allow ID=\"ID_ALLOW_PATH_0_1_0\" FriendlyName=\"Allow by path: %OSDRIVE%\\Program Files\\PuTTY\\putty.exe\" FilePath=\"%OSDRIVE%\\Program Files\\PuTTY\\putty.exe\"/>
\n
<Deny ID=\"ID_DENY_PATH_0_1_0\" FriendlyName=\"Deny by path: %OSDRIVE%\\Program Files\\Notepad++\\notepad++.exe\" FilePath=\"%OSDRIVE%\\Program Files\\Notepad++\\notepad++.exe\"/>
\n
<Allow ID=\"ID_ALLOW_A_1_1_0\" FriendlyName=\"Allow files based on file attributes: Google Chrome\" FileDescription=\"Google Chrome\"/>
\n
</FileRules>
\n
<!-- Other policy elements here -->
\n
\n
Signers
\n
The <Signers> sub-element is a collection of <Signer> elements that are trusted to sign applications and drivers. It includes various sub-elements that define the details of each signer. These options can include configurations such as specifying the criteria for trusted signers, setting validation levels for signer certificates, and other parameters that control how signers are managed and verified. By configuring <Signers>, organizations can ensure that only authorized and trusted signers are allowed, enhancing the security and integrity of the system by preventing unauthorized code from being executed.
\n
Sub-element:<Signer> of <Signers>
\n
The <Signer> sub-element defines an individual signer and includes several attributes and nested elements that specify the details of the signer's certificate and other relevant information.
\n
\n
Signers
\n
\n
|------
\n
\n
Signer
\n
\n
|------
\n
\n
Attributes
\n
\n
|
\n
\n
|------
\n
\n
Name
\n
\n
|
\n
\n
|------
\n
\n
ID
\n
\n
|
\n
\n
|------
\n
\n
SignTimeAfter
\n
\n
|
\n
\n
|------
\n
\n
Certroot *1
\n
\n
|
\n
\n
|------
\n
\n
Attribute
\n
\n
|
\n
\n
|------
\n
\n
Type *1
\n
\n
|
\n
\n
|-----
\n
\n
\"TBS\"
\n
\n
|
\n
\n
|-----
\n
\n
\"WellKnown\"
\n
\n
|
\n
\n
|
\n
\n
|------
\n
\n
Value *1
\n
\n
|------
\n
\n
CertEKU
\n
\n
|
\n
\n
|------
\n
\n
Attribute
\n
\n
|
\n
\n
|------
\n
\n
ID *1
\n
\n
|------
\n
\n
CertIssuer
\n
\n
|
\n
\n
|------
\n
\n
Attribute
\n
\n
|
\n
\n
|------
\n
\n
Value *1
\n
\n
|------
\n
\n
CertPublisher
\n
\n
|
\n
\n
|------
\n
\n
Attribute
\n
\n
|
\n
\n
|------
\n
\n
Value *1
\n
\n
|------
\n
\n
CertOemID
\n
\n
|
\n
\n
|------
\n
\n
Attribute
\n
\n
|
\n
\n
|------
\n
\n
Value *1
\n
\n
|------
\n
\n
FileAttribRef
\n
\n
|------
\n
\n
Attribute
\n
\n
|------
\n
\n
RuleID *1
\n
\n
*1 = Required
\n
\n
\n
Signers Elements and Attributes
\n
\n
Element Names
\n
\n
Attribute Names
\n
\n
Description
\n
\n
Signers
\n
\n
A collection of Signer elements that define individual signers trusted to sign applications and drivers.
\n
\n
Signer
\n
\n
Name
\n
\n
Specifies the name of the signer.
\n
\n
ID
\n
\n
Unique identifier for the signer.
\n
\n
SignTimeAfter
\n
\n
Specifying the time after which the signer's certificate is valid.
\n
\n
CertRoot
\n
\n
Type
\n
\n
Specifies the root certificate for a signer.
\n
(Required)
\n
\n
Value
\n
\n
Specifies the value of the root certificate in hexBinary form.
\n
\n
CertEKU
\n
\n
ID
\n
\n
Specifies the EKU ID.
\n
\n
CertIssuer
\n
\n
Value
\n
\n
Specifies the value of the issuer certificate.
\n
\n
CertPublisher
\n
\n
Value
\n
\n
Specifies the value of the publisher certificate.
\n
\n
CertOemID
\n
\n
Value
\n
\n
Specifies the value of the OEM ID.
\n
\n
FileAttribRef
\n
\n
RuleID
\n
\n
References a file attribute rule through its ID.
\n
\n
\n
<!-- Other policy elements here -->
\n
<FileRules>
\n
<FileAttrib ID=\"ID_FILEATTRIB_A_2\" FriendlyName=\"Allow files based on file attributes: 132.0.6834.111 and chrome.exe\" FileName=\"*\" MinimumFileVersion=\"132.0.6834.111\"/>
\n
<FileAttrib ID=\"ID_FILEATTRIB_A_1_1_0\" FriendlyName=\"Deny files based on file attributes: 21.4.7.25431 and SNAGIT32.EXE\" FileName=\"*\" MinimumFileVersion=\"21.4.7.25431\"/>
The <SigningScenarios> element is used to define the different scenarios in which code signing is required or trusted. These scenarios specify the conditions under which code must be signed to be considered valid and executable. By configuring <SigningScenarios>, organizations can enforce code signing policies that ensure only authorized and trusted code is allowed to run. This helps in maintaining the integrity and security of the system by preventing the execution of unauthorized or malicious code.
\n
\n
\n
SigningScenarios
\n
\n
|
\n
\n
SigningScenario
\n
\n
|----------
\n
\n
Attributes
\n
\n
|
\n
\n
|----------
\n
\n
ID *1
\n
\n
|
\n
\n
|----------
\n
\n
FriendlyName
\n
\n
|
\n
\n
|----------
\n
\n
Value *1
\n
\n
|
\n
\n
|----------
\n
\n
InheritedScenarios
\n
\n
|
\n
\n
|----------
\n
\n
MinimumHashAlgorithm
\n
\n
|
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
|----------
\n
\n
ProductSigners *1
\n
\n
|
\n
\n
|----------
\n
\n
AllowedSigners
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
AllowedSigner
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
SignerId
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
ExceptDenyRule
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
Attributes
\n
\n
|
\n
\n
|----------
\n
\n
DeniedSigners
\n
\n
|-------
\n
\n
DenyRuleId
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
DeniedSigner
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
SignerId
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
ExceptAllowRule
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
Attributes
\n
\n
|
\n
\n
|----------
\n
\n
FileRulesRef
\n
\n
|-------
\n
\n
AllowRuleId
\n
\n
|
\n
\n
|---------------
\n
\n
Atributes
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
FileRuleRef
\n
\n
|
\n
\n
|---------
\n
\n
RuleId
\n
\n
|
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
|----------
\n
\n
TestSigners
\n
\n
|
\n
\n
|----------
\n
\n
AllowedSigners
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
AllowedSigner
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
SignerId
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
ExceptDenyRule
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
Attributes
\n
\n
|
\n
\n
|----------
\n
\n
DeniedSigners
\n
\n
|-------
\n
\n
DenyRuleId
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
DeniedSigner
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
SignerId
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
ExceptAllowRule
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
Attributes
\n
\n
|
\n
\n
|----------
\n
\n
FileRulesRef
\n
\n
|-------
\n
\n
AllowRuleId
\n
\n
|
\n
\n
|---------------
\n
\n
Atributes
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
FileRuleRef
\n
\n
|
\n
\n
|---------------
\n
\n
Atributes
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
FileRuleRef
\n
\n
|
\n
\n
|---------
\n
\n
RuleId
\n
\n
|
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
|----------
\n
\n
TestSigningSigners
\n
\n
|
\n
\n
|----------
\n
\n
AllowedSigners
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
AllowedSigner
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
SignerId
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
ExceptDenyRule
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
Attributes
\n
\n
|
\n
\n
|----------
\n
\n
DeniedSigners
\n
\n
|-------
\n
\n
DenyRuleId
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
DeniedSigner
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
SignerId
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
ExceptAllowRule
\n
\n
|
\n
\n
|
\n
\n
|-------
\n
\n
Attributes
\n
\n
|
\n
\n
|----------
\n
\n
FileRulesRef
\n
\n
|-------
\n
\n
AllowRuleId
\n
\n
|
\n
\n
|---------------
\n
\n
Atributes
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
FileRuleRef
\n
\n
|
\n
\n
|---------------
\n
\n
Atributes
\n
\n
|
\n
\n
|
\n
\n
|---------
\n
\n
Workaround
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|---------------
\n
\n
FileRuleRef
\n
\n
|
\n
\n
|---------
\n
\n
RuleId
\n
\n
|
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
|----------
\n
\n
AppIDTags
\n
\n
|----------
\n
\n
Attributes
\n
\n
|
\n
\n
|---------------
\n
\n
EnforceDLL
\n
\n
|
\n
\n
|----------
\n
\n
AppIDTag
\n
\n
|---------------
\n
\n
Attributes
\n
\n
|---------
\n
\n
Key
\n
\n
|---------
\n
\n
Value
\n
\n
*1 = Required
\n
\n
\n
SigningScenarios Elements and Attributes
\n
\n
Element Names
\n
\n
Nested Elements
\n
\n
Attribute Name
\n
\n
Description
\n
\n
SigningScenarios
\n
\n
ID
\n
\n
A unique identifier for the signing scenario.
\n
\n
FriendlyName
\n
\n
Helps in easily identifying and managing the signing scenario.
\n
\n
InheritedScenarios
\n
\n
Allows the signing scenario to inherit rules and settings from other defined scenarios, promoting reuse and consistency.
\n
\n
MinimumHashAlgorithm
\n
\n
Ensures that only cryptographic hashes meeting the specified algorithm criteria are considered valid.
\n
\n
Value
\n
\n
Required and defines the specific context or condition under which the signing scenario applies.
\n
\n
ProductSigners,
\n
TestSigners, TestSigningSigners
\n
\n
AllowedSigners
\n
\n
WorkAround
\n
\n
Provides flexibility in handling specific scenarios or exceptions that may not be directly addressed by the standard schema definitions, allowing for customized solutions to unique challenges.
\n
\n
AllowedSigner
\n
\n
SignerId
\n
\n
Each signer can be distinctly recognized and referenced within the ACfB policy, allowing for precise control over which signers are trusted or denied.
\n
\n
AllowedSigner/ExceptDenyRule
\n
\n
DenyRuleId
\n
\n
Used in the ExceptDenyRule element to reference a specific deny rule, making the allow rule conditional based on the deny rule.
\n
\n
DeniedSigners
\n
\n
WorkAround
\n
\n
Provides flexibility in handling specific scenarios or exceptions that may not be directly addressed by the standard schema definitions, allowing for customized solutions to unique challenges.
\n
\n
DeniedSigner
\n
\n
SignerId
\n
\n
Used in the AllowedSigner and DeniedSigner elements to distinctly recognize and reference each signer.
\n
\n
DeniedSigner/ExceptAllowRule
\n
\n
AllowRuleId
\n
\n
Specification of the AllowRuleId.
\n
\n
FileRulesRef
\n
\n
Workaround
\n
\n
Provides flexibility in handling specific scenarios or exceptions that may not be directly addressed by the standard schema definitions, allowing for customized solutions to unique challenges.
\n
\n
FileRuleRef
\n
\n
RuleId
\n
\n
Specifies the ID of the file rule.
\n
\n
AppIDTags
\n
\n
EnforceDLL
\n
\n
If enabled ensures that only trusted DLLs are allowed to load.
\n
\n
AddIDTag
\n
\n
Key
\n
\n
Specifies the key for the application ID tag.
\n
\n
Value
\n
\n
Specifies the value for the application ID tag.
\n
\n
\n
CiSigners
\n
<CiSigners> are signers that ConfigCI asks CI to trust for all builds, including retail builds.
\n
Normally CiSigners is empty or only includes production signers. For enterprise ConfigCI policy, you may need to include enterprise signers. Just make sure it is understood that CiSigners will be trusted by CI for ALL builds.
\n
\n
\n
CiSigners
\n
\n
|------
\n
\n
CiSigner *1
\n
\n
|------
\n
\n
Attribute
\n
\n
|------
\n
\n
SignerId
\n
\n
*1 = Required
\n
\n
\n
\n
Element Names
\n
\n
Attribute Names
\n
\n
Description
\n
\n
CiSigners
\n
\n
A collection of CiSigner elements.
\n
\n
CiSigner
\n
\n
SignerId
\n
\n
To distinctly recognize and reference each signer within the ACfB policy.
The <Settings> sub-element is used to define various configuration settings for the policy. These settings can include options such as enabling or disabling specific features, setting enforcement levels, and other parameters that control the behavior of the policy. By configuring <Settings>, organizations can customize the policy to meet their specific security requirements and operational needs. This helps in ensuring that the policy is applied in a manner that aligns with the organization's security objectives and operational practices.
\n
\n
Settings
\n
\n
|-----
\n
\n
Setting
\n
\n
|-----
\n
\n
Attribute
\n
\n
|
\n
\n
|-----
\n
\n
Provider *1
\n
\n
|
\n
\n
|-----
\n
\n
Key *1
\n
\n
|
\n
\n
|-----
\n
\n
ValueName *1
\n
\n
|
\n
\n
|-----
\n
\n
Value
\n
\n
|-----
\n
\n
SettingValueType *1
\n
\n
|------------
\n
\n
BooleanType
\n
\n
|------------
\n
\n
DWordType
\n
\n
|------------
\n
\n
xs:hexBinary
\n
\n
|------------
\n
\n
xs:string
\n
\n
*1 = Required
\n
\n
\n
Settings, Elements, Attributes and SettingValueType
\n
\n
Element Names
\n
\n
Attribute Names
\n
\n
Description
\n
\n
Settings
\n
\n
Collection of Setting(s).
\n
\n
Setting
\n
\n
Provider
\n
\n
Specifies the source or context of the setting.
\n
Required
\n
\n
Key
\n
\n
Defines the category or type of information the setting pertains to.
\n
Required
\n
\n
ValueName
\n
\n
Specifies the name of the specific value being set.
\n
Required
\n
\n
Setting/Value/SettingValueType
\n
Required
\n
\n
BooleanType
\n
\n
Represents a Boolean value, which can be either true or false.
\n
\n
DWordType
\n
\n
Represents a double word (32-bit unsigned integer) value.
The <EKUs> sub-element is used to define the Extended Key Usage (EKU) attributes for certificates. EKUs specify the purposes for which the certificate's public key can be used, such as code signing, server authentication, and client authentication. By specifying EKUs, organizations can ensure that certificates are only used for their intended purposes, enhancing security and trust in digital communications.
\n
\n
EKUs
\n
\n
|----
\n
\n
EKU
\n
\n
|----
\n
\n
Attributes
\n
\n
|------
\n
\n
ID *1
\n
\n
|------
\n
\n
Value *1
\n
\n
|------
\n
\n
FriendlyName
\n
\n
*1 = Required
\n
\n
\n
EKUs Elements and Attributes
\n
\n
Element Names
\n
\n
Attribute Names
\n
\n
Description
\n
\n
EKUs
\n
\n
Collection of EKU(s)
\n
\n
EKU
\n
\n
ID
\n
\n
A unique identifier for the Extended Key Usage.
\n
Required
\n
\n
Value
\n
\n
Specifies the value of the EKU in hexBinary form.
\n
Required
\n
\n
FriendlyName
\n
\n
An optional user-friendly name for the EKU.
\n
\n
\n
<!-- Other policy elements here -->
\n
<EKUs>
\n
<EKU ID=\"ID_EKU_STORE\" FriendlyName=\"Windows Store EKU - 1.3.6.1.4.1.311.76.3.1 Windows Store\" Value=\"010a2b0601040182374c0301\"/>
\n
</EKUs>
\n
<!-- Other policy elements here -->
\n
\n
UpdatePolicySigners
\n
The <UpdatePolicySigners> sub-element is used to define the code signing certificates that are trusted for updating policy files. This ensures that only authorized entities can make changes to the policy, enhancing the security and integrity of the system. By specifying trusted signers, organizations can prevent unauthorized modifications and maintain control over policy updates.
\n
\n
updatepolicysigners
\n
\n
|---------
\n
\n
updatepolicysigner
\n
\n
|---------
\n
\n
Attribute
\n
\n
|-----
\n
\n
SignerId
\n
\n
\n
UpdatePolicySigner Elements and Attributes
\n
\n
\n
Element Names
\n
\n
Attribute Names
\n
\n
Description
\n
\n
UpdatePolicySigners
\n
\n
Collection of UpdatePolicySigner(s)
\n
\n
UpdatePolicySigner
\n
\n
SignerId
\n
\n
A unique identifier for the signer. This attribute ensures that each signer authorized to update the ACfB policy can be distinctly recognized and referenced, allowing for precise control over which signers are trusted to make policy updates.
The <HvciOptions> sub-element is used to define the Hypervisor-protected Code Integrity (HVCI) settings. Hypervisor-Protected Code Integrity (HVCI) leverages virtualization-based security (VBS) to ensure that only trusted code runs in kernel mode, providing an additional layer of protection against malware and other threats. HVCI uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust for the operating system. This isolated environment ensures that kernel mode code integrity checks are performed within a secure context, preventing unauthorized code from executing. This helps in preventing unauthorized code from executing, thereby maintaining the integrity and security of the operating environment.
\n
HVCIOptions
\n
\n
Element Name
\n
\n
Description
\n
\n
HVCIOptions
\n
\n
A friendly name for the HVCI option.
\n
\n
\n
The <HvciOptions> element expects a numeric value that represents the specific configuration settings. Here’s a detailed explanation:
\n
Possible Values for HvciOptions
\n
\n
Enabled (Value: 1): Turns on HVCI, ensuring that only trusted code can run at the hypervisor level.
\n
Strict (Value: 2): Enforces stricter code integrity checks, providing an additional layer of security.
\n
DebugMode (Value: 4): Enables debugging features for HVCI, useful for development and troubleshooting.
\n
DisableAllowed (Value: 8): Allows HVCI to be disabled by the user outside of the Code Integrity policy enablement method.
\n
\n
These values can be combined using bitwise OR operations to enable multiple settings simultaneously.
\n
\n
<!-- Other policy elements here -->
\n
<HvciOptions>2</HvciOptions>
\n
<!-- Other policy elements here -->
\n
Macros
\n
A collection of macro definitions that can be used throughout the policy. Macros allow for text substitution, making it easier to manage and update policy configurations by using predefined values. Each macro is defined within a Macro element, which includes an ID and a value. By using macros, administrators can simplify the policy management process and ensure consistency across different policy elements.
\n
\n
\n
Macros
\n
\n
|-----
\n
\n
Macro
\n
\n
|
\n
\n
|-----
\n
\n
Attributes
\n
\n
|
\n
\n
|
\n
\n
|-----
\n
\n
Id *1
\n
\n
|
\n
\n
|
\n
\n
|-----
\n
\n
Value *1
\n
\n
|
\n
\n
|
\n
\n
|
\n
\n
|-----
\n
\n
Annotations
\n
\n
|
\n
\n
|-------
\n
\n
Documentation
\n
\n
|
\n
\n
|---------
\n
\n
(A Macro element defines a text substitution macro that can be used in other elements. Macros are referenced using NMAKE syntax, i.e. $(runtime.windows).)
\n
\n
|
\n
\n
|---------
\n
\n
(Required. The Id for this macro, used in macro references. For example, if the Id for this macro is \"runtime.windows\", the macro would be referenced as $(runtime.windows).)
\n
\n
|
\n
\n
|---------
\n
\n
(Required. The value that will be substituted for macro references in macro-enabled XML attributes.)
\n
\n
|
\n
\n
|-----
\n
\n
UniqueMacroId
\n
\n
|----------------
\n
\n
Selector (xpath=\"ps:Macro\")
\n
\n
|----------------
\n
\n
Field (xpath=\"@Id\")
\n
\n
*1 = Required
\n
\n
\n
Macros Elements and Constraints
\n
\n
Element Names
\n
\n
Attribute Names
\n
\n
Description
\n
\n
Macro
\n
\n
Id
\n
\n
Used in macro references, allowing the macro to be called by its ID in other elements, ensuring consistency and ease of management.
\n
Required
\n
\n
Value
\n
\n
Specifies the text to be substituted for macro references. This ensures that the defined value is consistently used wherever the macro is referenced, simplifying updates and maintenance.
\n
Required
\n
\n
“Macros” Constraints
\n
UniqueMacroId
\n
\n
Specifies the unique constraint's name, which in this case is UniqueMacroId. It ensures that each macro ID within the Macros element is unique, preventing duplication.
\n
\n
Selector
\n
\n
Defines the XPath expression used to select the elements to which the unique constraint applies. In this case, it selects the Macro elements within the Macros element.
\n
\n
Field
\n
\n
Specifies the field within the selected elements that must be unique. Here, it ensures that the Id attribute of each Macro element is unique within the Macros element.
\n
\n
\n
SupplementalPolicySigners
\n
The <SupplementalPolicySigners> element defines a collection of signers that are trusted to sign supplemental policies. Supplemental policies are additional policies that extend or modify the base policy, allowing for more granular and flexible control over application execution. The <SupplementalPolicySigners> element ensures that only authorized entities can create or update these supplemental policies, maintaining the integrity and security of the overall policy framework
\n
\n
\n
SupplementalPolicySigners
\n
\n
|----------------
\n
\n
SupplementalPolicySigner
\n
\n
|----------------
\n
\n
Attributes
\n
\n
|-------
\n
\n
SignerId *1
\n
\n
*1 = Required
\n
\n
SupplementalPolicySigners Elements and Attributes
\n
\n
Element Names
\n
\n
Attribute Names
\n
\n
Description
\n
\n
SupplementalPolicySigner
\n
\n
Collection of Collection of SupplementalPolicySigner(s)
\n
\n
SignerId
\n
\n
A unique identifier for the signer. Ensures that each signer authorized to sign supplemental policies can be distinctly recognized and referenced, allowing for precise control over which signers are trusted to create or update supplemental policies
\n
Required
\n
\n
\n
Schema Definition (CiPolicy.xsd - 1/27/2025) and location
\n
The current schema definition can be found on a Windows 11 device at:
\n
\n
C:\\Windows\\schemas\\CodeIntegrity\\cipolicy.xsd
\n
\n
\n
ACfB Example Policy locations
\n
On Windows 11, ACfB example policies are saved in the following locations:
These example policies can be used as a starting point to create custom policies for your organization's needs.
\n
\n
By implementing a well-structured and ordered schema, organizations can create a secure and efficient environment, much like how Raven's schema keeps her safe and happy in our backyard.
","body@stringLength":"115481","rawBody":"
Watching my miniature schnauzer, Raven, explore my backyard, I’m reminded of the importance of having a clear set of rules and guidelines. Just like Raven has her own schema to navigate her environment—knowing where she can wander, where she shouldn't venture, and how to interact. Application Control for Business (ACfB) provides a robust schema to help organizations manage and secure their digital landscapes.
\n
Note: ACfB has also been known as Windows Defender Application Control (WDAC), Application Control for Windows and Code Integrity.
In Raven's serene world, her schema might look something like this:
\n
\n
Safe Zones: The grassy lawn where she can leisurely sniff around and her favorite shady spot under the tree.
\n
Restricted Zones: The delicate garden beds and the tempting koi pond, which are off-limits to her curious paws.
\n
Behavior Rules: Guidelines for greeting other animals and people, ensuring she remains the friendly neighborhood pup.
\n
\n
Similarly, ACfB's schema defines the rules and guidelines for managing applications and code within an organization:
\n
\n
Approved Applications: Software that is allowed to run, ensuring it is safe and trusted.
\n
Restricted Applications: Programs that are blocked from execution to prevent potential security threats.
\n
Execution Rules: Policies that dictate how applications can interact with the system, ensuring a secure and controlled environment.
\n
\n
For Raven, following her schema with precision is key. It keeps her out of trouble and ensures she enjoys her outdoor time without any mishaps. The order of her schema is equally important. She needs to know the safe zones before understanding the restricted ones, and she must learn the behavior rules to interact safely with others.
\n
Similarly, for organizations, adhering to ACfB's schema is crucial. It ensures that only approved applications run, restricted applications are blocked, and execution rules are followed, maintaining a secure and efficient digital landscape.
\n
Similarly, ACfB's schema defines precise rules for applications, ensuring that only trusted software runs on your systems, protecting against malicious code and unauthorized access. The order in which these rules and policies are defined is critical. Just as Raven's schema order helps her navigate her environment effectively, the correct order of elements in the ACfB schema ensures that the policy is correctly interpreted and enforced.
\n
\n
Application Control for Business - Schema Overview
\n
The ACfB schema provides a comprehensive framework for defining rules and policies that control which applications are allowed to run on your systems. It ensures that only trusted applications are executed, enhancing security and compliance.
\n
XML Structure Overview
\n
The XML structure used in the schema provides a high-level view of how the elements and attributes are organized. This structure ensures that the policy is correctly interpreted and enforced by Application Control for Business.
\n
Policy Information
\n
This section includes metadata about the policy, such as its name, ID, version, and description. It provides essential information for identifying and managing different policies.
\n
SiPolicy Elements (Policy controls)
\n
Detailed descriptions of the elements that control the policy, such as rules for allowing or blocking applications. These elements define the core functionality of the policy.
\n
Rules
\n
Definitions of the various rules that can be applied within the policy, specifying what is allowed or denied. These rules are crucial for controlling application behavior.
\n
FileRules
\n
Specific rules related to files, including how they are identified and controlled. This section ensures that only trusted files are allowed to execute.
\n
Signers
\n
Information about the entities that sign the applications, ensuring they are trusted. This section is crucial for maintaining the integrity and trustworthiness of applications.
\n
SigningScenarios
\n
Different scenarios in which signing is used, providing context for when and how applications should be signed. This section helps ensure that signing practices are consistently applied.
\n
CiSigners
\n
Information about code integrity signers, who are responsible for ensuring the integrity of the code. This section is crucial for maintaining code integrity.
\n
Settings
\n
General settings for the policy, including various configuration options. These settings control the overall behavior of the policy.
\n
EKUs
\n
Extended Key Usages, which specify the purposes for which a certificate can be used. This section ensures that certificates are used appropriately.
\n
UpdatePolicySigners
\n
Information about the signers who are authorized to update the policy. This section ensures that only trusted entities can modify the policy.
\n
HVCIOptions
\n
Detailed descriptions of the hypervisor-protected code integrity options. These details define the characteristics and configurations of each option.
\n
Macros
\n
Definitions of macros used within the policy, allowing for reusable configurations. This section provides flexibility and efficiency in policy management.
\n
SupplementalPolicySigners
\n
Information about additional signers who can supplement the main policy. This section ensures that the policy can be extended and updated as needed.
\n
SupplementalPolicySigners Elements and Attributes
\n
\n
Application Control for Business Schema
\n
The ACfB schema, as defined in the provided file (CiPolicy.xsd), is a comprehensive XML schema that outlines the structure and rules for creating and managing security policies within the Application Control for Business framework. This schema includes various elements and attributes that specify how policies are constructed, validated, and enforced. Key components of the schema include definitions for file rules, signers, signing scenarios, and policy settings, each with specific attributes and nested elements that provide detailed control over the security configurations.
\n
The primary purpose of the ACfB schema is to enhance the security posture of Windows environments by ensuring that only trusted and verified code is allowed to execute. By defining rules for allowing or denying specific files, managing trusted signers, and specifying conditions under which certain policies apply, the ACfB schema helps administrators create granular and flexible security policies. These policies protect against unauthorized code execution, maintain system integrity, and ensure compliance with organizational security standards.
\n
\n
Application Control Bypass
\n
ACfB provides the ability to lock down endpoints effectively, but there are some potential bypasses that need to be addressed. Certain legitimate applications, such as powershell.exe, msbuild.exe, and wscript.exe, can be exploited by attackers to circumvent these controls. Blocking these applications is recommended unless they are absolutely necessary for business operations.
\n
Additionally, keeping software up to date is crucial to mitigate vulnerabilities. For instance, older versions of BGInfo are vulnerable and should be blocked, while the latest version has resolved these security issues. The security community has been instrumental in identifying these vulnerabilities and helping to protect users. Following these recommendations is vital to ensure our systems remain secure.
\n
For complete details, please refer to the full article on Microsoft's website:
An ACfB policy XML file consists of several key sections:
\n
\n
Policy Information: Metadata about the policy.
\n
Rules: Definitions of what is allowed or denied.
\n
File Rules: Specific rules for files and applications.
\n
Signing Rules: Rules for signed applications and drivers.
\n
\n
\n
Policy Information
\n
The <SiPolicy> Root Element is used to define the overall security policy for the system. This element encompasses various configurations and settings that dictate how the security policy is enforced. It includes details such as policy type, policy rules, and other critical parameters that ensure the integrity and security of the system. By configuring <SiPolicy>, organizations can establish a comprehensive security framework that governs the behavior of applications and code execution on the system.
\n
\n
SiPolicy
\n\n
|-----
\n\n
Attributes
\n\n
|
\n\n
|-----
\n\n
FriendlyName
\n\n
|
\n\n
|-----
\n\n
PolicyType
\n\n
|
\n\n
|------------------------
\n\n
\"Base Policy\"
\n\n
|
\n\n
|------------------------
\n\n
\"Supplemental Policy\"
\n\n
|
\n\n
|------------------------
\n\n
\"AppID Tagging Policy\"
\n\n
|
\n\n
|-----
\n\n
Elements
\n\n
|-----
\n\n
VersionEx *1, *2
\n\n
|-----
\n\n
PolicyTypeID *2
\n\n
|-----
\n\n
PlatformID *1, *2
\n\n
|-----
\n\n
PolicyID * 2
\n\n
|-----
\n\n
BasePolicyID *2
\n\n
|-----
\n\n
Rules
\n\n
|----- Rule
\n\n
|-----
\n\n
EKUs
\n\n
|-----
\n\n
FileRules
\n\n
|-----
\n\n
Signers
\n\n
|-----
\n\n
SigningScenarios
\n\n
|-----
\n\n
UpdatePolicySigners
\n\n
|-----
\n\n
CiSigners
\n\n
|-----
\n\n
HvciOptions
\n\n
|-----
\n\n
Settings
\n\n
|-----
\n\n
Macros
\n\n
|-----
\n\n
SupplementalPolicySigners
\n\n
|-----
\n\n
AppSettings
\n\n
*1 - Required
\n\n
*2 - These elements are used for defining and managing the ACfB policies on an endpoint.
\n
\n
\n
SiPolicy Elements (Policy controls)
\n
\n
Element Names
\n\n
Description
\n\n
VersionEx
\n\n
Specifies the extended version of the policy.
\n\n
PolicyTypeID
\n\n
Used to uniquely identify and manage different types of polices
\n\n
PolicyID
\n\n
The unique identifier for the policy.
\n\n
BasePolicyID
\n\n
The GUID of the base policy, if applicable.
\n\n
PlatformID
\n\n
The identifier for the platform the policy applies to.
There are a total of 17 sub-elements available under <SiPolicy> in a ACfB policy XML file.
\n
\n
\n
Element Names
\n\n
Description
\n\n
Notes
\n\n
<VersionEx>
\n\n
Specifies the version of the System Integrity policy.
\n\n
Required
\n\n
<PolicyTypeID>
\n\n
Unique identifier for the policy type.
\n\n
<PlatformID>
\n\n
Unique identifier for the platform.
\n\n
Required
\n\n
<PolicyID>
\n\n
Unique identifier for the policy.
\n\n
<BasePolicyID>
\n\n
Unique identifier for the base policy.
\n\n
<Rules>
\n\n
The <Rules> sub-element is used to define various options and settings related to the rules enforced by the policy. These options can include configurations such as enabling or disabling specific rule types, setting enforcement levels, and other parameters that control how the rules are applied. By configuring <RulesOptions>, organizations can fine-tune the behavior of their security policies to meet specific requirements and ensure that the rules are enforced in a manner that aligns with their security objectives.
\n\n
Contains a sequence of <Rule> elements defining various policy rules.
\n\n
<EKUs>
\n\n
The <EKUs> element defines Extended Key Usage (EKU) settings for the ACfB policy. EKUs specify the purposes for which a certificate can be used, such as code signing or server authentication. This element can include multiple EKU definitions, each specified within an <EKU> element. By defining EKUs, administrators can ensure that only certificates with the appropriate usage attributes are trusted, providing an additional layer of security for the system.
\n\n
Collection of Extended Key Usage (EKU) elements.
\n\n
FileRules
\n\n
The <FileRules> element specifies how applications and drivers are identified and allowed or denied. This element can include rules based on file attributes, hashes, paths, publishers, and certificates. For example, you can allow a specific file by its hash or allow all files in a particular directory. The flexibility of <FileRules> allows administrators to create granular policies that precisely control which files are permitted to execute, enhancing the security posture of the system.
\n\n
Collection of file rules.
\n\n
Signers
\n\n
The <Signers> element defines trusted signers for applications and drivers. This element can include various types of signers, such as FilePublisher, LeafCertificate, PcaCertificate, and RootCertificate. Each signer type specifies different levels of trust, from individual files to entire certificate chains. By defining trusted signers, administrators can ensure that only applications and drivers signed by recognized entities are allowed to run, reducing the risk of malware and unauthorized software.
\n\n
Collection of signers.
\n\n
SigningScenarios
\n\n
The <SigningScenarios> element specifies different scenarios under which signing rules apply. This element can include scenarios for drivers, Windows components, and other specific use cases. Each scenario is defined within a <SigningScenario> element, which includes details such as the scenario value, ID, and friendly name. By defining signing scenarios, administrators can create policies that apply different rules based on the context in which an application or driver is executed, providing more nuanced control over software execution.
\n\n
Collection of signing scenarios.
\n\n
UpdatePolicySigners
\n\n
The <UpdatePolicySigners> element defines signers that are trusted to update the ACfB policy. This element can include various types of signers, such as FilePublisher, LeafCertificate, PcaCertificate, and RootCertificate. By specifying trusted update policy signers, administrators can ensure that only authorized entities can modify the ACfB policy, preventing unauthorized changes that could compromise the security of the system.
\n\n
Collection of signers for system integrity policy updating.
\n\n
CiSigners
\n\n
The <CiSigners> element defines Code Integrity signers that are trusted for all builds, including retail builds. This element is typically used to include enterprise signers or production signers that are trusted across the organization. By specifying trusted Code Integrity signers, administrators can ensure that only code signed by recognized entities is allowed to run, enhancing the overall security of the system.
\n\n
Collection of signers trusted for CI signing levels.
\n\n
HvciOptions
\n\n
Hypervisor-Protected Code Integrity (HVCI) leverages virtualization-based security (VBS) to ensure that only trusted code runs in kernel mode
\n\n
Specifies (HVCI) settings.
\n\n
Settings
\n\n
The <Settings> element includes additional settings for the ACfB policy. This element can define various configuration options, such as policy information, enterprise-defined settings, and other custom settings. Each setting is specified within a <Setting> element, which includes details such as the provider, key, value name, and value. By configuring these settings, administrators can customize the behavior of the ACfB policy to meet the specific needs of their organization.
\n\n
Collection of setting elements.
\n\n
Macros
\n\n
The <Macros> element defines a collection of macro definitions that can be used throughout the policy. Macros allow for text substitution, making it easier to manage and update policy configurations. Each macro is defined within a <Macro> element, which includes an ID and a value. By using macros, administrators can simplify the policy management process and ensure consistency across different policy elements.
\n\n
Collection of macro definitions.
\n\n
SupplementalPolicySigners
\n\n
The <SupplementalPolicySigners> element defines a collection of signers for supplemental policies. These signers are trusted to sign additional policies that extend or modify the base policy. By specifying supplemental policy signers, administrators can ensure that only authorized entities can create or update supplemental policies, maintaining the integrity and security of the overall policy framework.
\n\n
Collection of signers for supplemental policies.
\n\n
AppSettings
\n\n
The <AppSettings> element defines a collection of application settings. These settings can include various configuration options specific to applications, such as manifest paths and custom settings. Each application setting is defined within an <App> element, which includes details such as the manifest path and individual settings. By configuring application settings, administrators can tailor the behavior of specific applications to meet organizational requirements.
The <Rules> sub-element is used to organize and manage various rules within the policy. It contains a sequence of <Rule> elements, each defined by the Rules complex type. These rules specify configurations such as enabling or disabling specific options, setting enforcement levels, and other parameters that control how the rules are applied. By configuring the <Rules> sub-element, organizations can fine-tune the behavior of their security policies to meet specific requirements and ensure that the rules are enforced in a manner that aligns with their security objectives.
\n
\n
Rules
\n\n
|------
\n\n
Rule
\n\n
|------
\n\n
RuleType
\n\n
|------
\n\n
Option
\n\n
|------
\n\n
Enabled:UMCI
\n\n
|------
\n\n
Enabled:Boot Menu Protection
\n\n
|------
\n\n
Enabled:Intelligent Security Graph Authorization
\n\n
|------
\n\n
Enabled:Invalidate EAs on Reboot
\n\n
|------
\n\n
Required:WHQL
\n\n
|------
\n\n
Enabled:Developer Mode Dynamic Code Trust
\n\n
|------
\n\n
Enabled:Allow Supplemental Policies
\n\n
|------
\n\n
Disabled:Runtime FilePath Rule Protection
\n\n
|------
\n\n
Enabled:Revoked Expired As Unsigned
\n\n
|------
\n\n
Enabled:Audit Mode
\n\n
|------
\n\n
Disabled:Flight Signing
\n\n
|------
\n\n
Enabled:Inherit Default Policy
\n\n
|------
\n\n
Enabled:Unsigned System Integrity Policy
\n\n
|------
\n\n
Enabled:Dynamic Code Security
\n\n
|------
\n\n
Required:EV Signers
\n\n
|------
\n\n
Enabled:Boot Audit On Failure
\n\n
|------
\n\n
Enabled:Advanced Boot Options Menu
\n\n
|------
\n\n
Disabled:Script Enforcement
\n\n
|------
\n\n
Required:Enforce Store Applications
\n\n
|------
\n\n
Enabled:Secure Setting Policy
\n\n
|------
\n\n
Enabled:Managed Installer
\n\n
|------
\n\n
Enabled:Update Policy No Reboot
\n\n
|------
\n\n
Enabled:Conditional Windows Lockdown Policy
\n
\n
\n
Rules Options
\n
\n
Option Types
\n\n
Description
\n\n
Enabled:UMCI
\n\n
Enables User Mode Code Integrity (UMCI), ensuring that only trusted code runs in user mode.
\n\n
Enabled:Boot Menu Protection
\n\n
Enables protection for the boot menu, preventing unauthorized changes to boot configurations.
\n\n
Enabled:Intelligent Security Graph Authorization
\n\n
Utilizes the Intelligent Security Graph to authorize applications, enhancing security by leveraging Microsoft's threat intelligence.
\n\n
Enabled:Invalidate EAs on Reboot
\n\n
Invalidates Extended Attributes (EAs) on reboot, ensuring that any changes to EAs are not persistent across reboots.
\n\n
Required:WHQL
\n\n
Requires that drivers are Windows Hardware Quality Labs (WHQL) certified, ensuring they meet Microsoft's quality standards.
\n\n
Enabled:Developer Mode Dynamic Code Trust
\n\n
Enables dynamic code trust for developer mode, allowing developers to run and test code that may not be signed.
\n\n
Enabled:Allow Supplemental Policies
\n\n
Allows the use of supplemental policies, which can extend or modify the base policy.
\n\n
Disabled:Runtime FilePath Rule Protection
\n\n
Disables runtime protection for file path rules, potentially reducing security but allowing more flexibility.
\n\n
Enabled:Revoked Expired As Unsigned
\n\n
Treats revoked or expired certificates as unsigned, preventing code signed with such certificates from running.
\n\n
Enabled:Audit Mode
\n\n
Enables audit mode, which logs policy violations without enforcing them, useful for testing and monitoring.
\n\n
Disabled:Flight Signing
\n\n
Disables flight signing, which is used for pre-release software testing.
\n\n
Enabled:Inherit Default Policy
\n\n
Allows the policy to inherit settings from the default policy, ensuring consistency and reducing configuration effort.
\n\n
Enabled:Unsigned System Integrity Policy
\n\n
Enables the use of unsigned system integrity policies, which can be useful in certain testing or development scenarios.
\n\n
Enabled:Dynamic Code Security
\n\n
Enhances security by enabling dynamic code security measures, which help protect against runtime code modifications.
\n\n
Required:EV Signers
\n\n
Requires Extended Validation (EV) certificates for code signing, providing a higher level of trust.
\n\n
Enabled:Boot Audit On Failure
\n\n
Enables auditing of boot failures, helping to diagnose and troubleshoot boot issues.
\n\n
Enabled:Advanced Boot Options Menu
\n\n
Enables the advanced boot options menu, providing additional boot options for troubleshooting and recovery.
\n\n
Disabled:Script Enforcement
\n\n
Disables enforcement of script policies, allowing scripts to run without being subject to policy restrictions.
\n\n
Required:Enforce Store Applications
\n\n
Requires that only applications from the Microsoft Store are allowed to run, enhancing security by restricting software sources.
\n\n
Enabled:Secure Setting Policy
\n\n
Enables secure setting policies, which enforce additional security settings.
\n\n
Enabled:Managed Installer
\n\n
Allows the use of a managed installer, which can install and manage applications according to policy.
\n\n
Enabled:Update Policy No Reboot
\n\n
Enables policy updates without requiring a reboot, reducing downtime and improving user experience.
\n\n
Enabled:Conditional Windows Lockdown Policy
\n\n
Enables conditional lockdown policies, which can enforce stricter security measures based on certain conditions.
\n
\n
\n
<!-- Other policy elements here -->
\n
<Rules>
\n
<Rule>
\n
<Option>Enabled:Unsigned System Integrity Policy</Option>
The <FileRules> sub-element is used to define various options and settings related to file rules enforced by the policy. These options can include configurations such as specifying file types to be monitored, setting enforcement levels for different file operations, and other parameters that control how file rules are applied. By configuring <FileRules>, organizations can customize the behavior of their file security policies to meet specific requirements and ensure that file operations are monitored and controlled in a manner that aligns with their security objectives.
\n
\n
FileRules
\n\n
|------
\n\n
Allow
\n\n
|
\n\n
|--------
\n\n
ID *1
\n\n
|
\n\n
|--------
\n\n
FriendlyName
\n\n
|
\n\n
|--------
\n\n
FileName
\n\n
|
\n\n
|--------
\n\n
InternalName
\n\n
|
\n\n
|--------
\n\n
FileDescription
\n\n
|
\n\n
|--------
\n\n
ProductName
\n\n
|
\n\n
|--------
\n\n
PackageFamilyName
\n\n
|
\n\n
|--------
\n\n
PackageVersion
\n\n
|
\n\n
|--------
\n\n
MinimumFileVersion
\n\n
|
\n\n
|--------
\n\n
MaximumFileVersion
\n\n
|
\n\n
|--------
\n\n
Hash
\n\n
|
\n\n
|--------
\n\n
AppIDs
\n\n
|
\n\n
|--------
\n\n
FilePath
\n\n
|
\n\n
|------
\n\n
Deny
\n\n
|
\n\n
|--------
\n\n
ID *1
\n\n
|
\n\n
|--------
\n\n
FriendlyName
\n\n
|
\n\n
|--------
\n\n
FileName
\n\n
|
\n\n
|--------
\n\n
InternalName
\n\n
|
\n\n
|--------
\n\n
FileDescription
\n\n
|
\n\n
|--------
\n\n
ProductName
\n\n
|
\n\n
|--------
\n\n
PackageFamilyName
\n\n
|
\n\n
|--------
\n\n
PackageVersion
\n\n
|
\n\n
|--------
\n\n
MinimumFileVersion
\n\n
|
\n\n
|--------
\n\n
MaximumFileVersion
\n\n
|
\n\n
|--------
\n\n
Hash
\n\n
|
\n\n
|--------
\n\n
AppIDs
\n\n
|
\n\n
|--------
\n\n
FilePath
\n\n
|
\n\n
|------
\n\n
FileAttrib
\n\n
|
\n\n
|--------
\n\n
ID *1
\n\n
|
\n\n
|--------
\n\n
FriendlyName
\n\n
|
\n\n
|--------
\n\n
FileName
\n\n
|
\n\n
|--------
\n\n
InternalName
\n\n
|
\n\n
|--------
\n\n
FileDescription
\n\n
|
\n\n
|--------
\n\n
ProductName
\n\n
|
\n\n
|--------
\n\n
PackageFamilyName
\n\n
|
\n\n
|--------
\n\n
PackageVersion
\n\n
|
\n\n
|--------
\n\n
MinimumFileVersion
\n\n
|
\n\n
|--------
\n\n
MaximumFileVersion
\n\n
|
\n\n
|--------
\n\n
Hash
\n\n
|
\n\n
|--------
\n\n
AppIDs
\n\n
|
\n\n
|--------
\n\n
FilePath
\n\n
|
\n\n
|------
\n\n
FileRule
\n\n
|--------
\n\n
ID *1
\n\n
|--------
\n\n
FriendlyName
\n\n
|--------
\n\n
FileName
\n\n
|--------
\n\n
InternalName
\n\n
|--------
\n\n
FileDescription
\n\n
|--------
\n\n
ProductName
\n\n
|--------
\n\n
PackageFamilyName
\n\n
|--------
\n\n
PackageVersion
\n\n
|--------
\n\n
MinimumFileVersion
\n\n
|--------
\n\n
MaximumFileVersion
\n\n
|--------
\n\n
Hash
\n\n
|--------
\n\n
AppIDs
\n\n
|--------
\n\n
FilePath
\n\n
|--------
\n\n
Type *1
\n\n
|-------------------
\n\n
\"Match\"
\n\n
|-------------------
\n\n
\"Exclude\"
\n\n
|-------------------
\n\n
\"Attribute\"
\n\n
*1 = Required
\n
\n
\n
FileRules Elements and Attributes
\n
There are 4 elements and 13 attributes available for FileRules. The elements specify how applications and drivers are identified and allowed or denied based on various attributes within the ACfB policy. The attributes allow administrators to specify criteria based on various properties of files, such as their cryptographic hash, file name, file path, publisher's certificate, and more. This ensures that only trusted and verified files are permitted to execute
\n
\n
Element Names
\n\n
Attribute Names
\n\n
Description
\n\n
Allow
\n
Deny
\n
FileAttrib
\n
FileRule
\n\n
AppIDs
\n\n
Application IDs associated with the file, used for additional identification and management.
\n\n
FileDescription
\n\n
A description of the file, providing more context about its purpose and usage.
\n\n
FileName
\n\n
Specifies the name of the file to allow. Ensures that only files with this exact name are permitted to run.
\n\n
FilePath
\n\n
Specifies the path of the file to allow. Ensures that only files located in this specific path are permitted to run.
\n\n
FriendlyName
\n\n
A user-friendly name for the rule, making it easier to identify and manage.
\n\n
Hash
\n\n
Specifies the cryptographic hash of the file to allow. Provides a high level of security by ensuring that only the exact file with this hash is permitted to run.
\n\n
ID
\n\n
Unique identifier for the rule.
\n
(Required)
\n\n
InternalName
\n\n
The internal name of the file, often used for additional verification.
\n\n
MaximumFileVersion
\n\n
Specifies the maximum version of the file to allow. Prevents the execution of potentially outdated or insecure versions.
\n\n
MinimumFileVersion
\n\n
Specifies the minimum version of the file to allow. Ensures that only updated and secure versions are permitted.
\n\n
PackageFamilyName
\n\n
The package family name for the file, used to group related files together.
\n\n
PackageVersion
\n\n
The version of the package that the file belongs to, ensuring compatibility and version control.
\n\n
ProductName
\n\n
The name of the product associated with the file, helping to identify the software it belongs to.
\n\n
FileRule (only)
\n\n
Type
\n\n
Specifies the type of rule being applied, such as Match, Exclude, or Attribute. This attribute defines the condition under which the rule applies, allowing for precise control over how files are identified and managed.
\n
(Required)
\n
\n
\n
<!-- Other policy elements here -->
\n
<FileRules>
\n
<FileAttrib ID=\"ID_FILEATTRIB_A_1\" FriendlyName=\"Allow files based on file attributes: 16.0.18429.20114 and WinWord.exe\" FileName=\"*\" MinimumFileVersion=\"16.0.18429.20114\"/>
\n
<Allow ID=\"ID_ALLOW_PATH_0_1_0\" FriendlyName=\"Allow by path: %OSDRIVE%\\Program Files\\PuTTY\\putty.exe\" FilePath=\"%OSDRIVE%\\Program Files\\PuTTY\\putty.exe\"/>
\n
<Deny ID=\"ID_DENY_PATH_0_1_0\" FriendlyName=\"Deny by path: %OSDRIVE%\\Program Files\\Notepad++\\notepad++.exe\" FilePath=\"%OSDRIVE%\\Program Files\\Notepad++\\notepad++.exe\"/>
\n
<Allow ID=\"ID_ALLOW_A_1_1_0\" FriendlyName=\"Allow files based on file attributes: Google Chrome\" FileDescription=\"Google Chrome\"/>
\n
</FileRules>
\n
<!-- Other policy elements here -->
\n
\n
Signers
\n
The <Signers> sub-element is a collection of <Signer> elements that are trusted to sign applications and drivers. It includes various sub-elements that define the details of each signer. These options can include configurations such as specifying the criteria for trusted signers, setting validation levels for signer certificates, and other parameters that control how signers are managed and verified. By configuring <Signers>, organizations can ensure that only authorized and trusted signers are allowed, enhancing the security and integrity of the system by preventing unauthorized code from being executed.
\n
Sub-element:<Signer> of <Signers>
\n
The <Signer> sub-element defines an individual signer and includes several attributes and nested elements that specify the details of the signer's certificate and other relevant information.
\n
\n
Signers
\n\n
|------
\n\n
Signer
\n\n
|------
\n\n
Attributes
\n\n
|
\n\n
|------
\n\n
Name
\n\n
|
\n\n
|------
\n\n
ID
\n\n
|
\n\n
|------
\n\n
SignTimeAfter
\n\n
|
\n\n
|------
\n\n
Certroot *1
\n\n
|
\n\n
|------
\n\n
Attribute
\n\n
|
\n\n
|------
\n\n
Type *1
\n\n
|
\n\n
|-----
\n\n
\"TBS\"
\n\n
|
\n\n
|-----
\n\n
\"WellKnown\"
\n\n
|
\n\n
|
\n\n
|------
\n\n
Value *1
\n\n
|------
\n\n
CertEKU
\n\n
|
\n\n
|------
\n\n
Attribute
\n\n
|
\n\n
|------
\n\n
ID *1
\n\n
|------
\n\n
CertIssuer
\n\n
|
\n\n
|------
\n\n
Attribute
\n\n
|
\n\n
|------
\n\n
Value *1
\n\n
|------
\n\n
CertPublisher
\n\n
|
\n\n
|------
\n\n
Attribute
\n\n
|
\n\n
|------
\n\n
Value *1
\n\n
|------
\n\n
CertOemID
\n\n
|
\n\n
|------
\n\n
Attribute
\n\n
|
\n\n
|------
\n\n
Value *1
\n\n
|------
\n\n
FileAttribRef
\n\n
|------
\n\n
Attribute
\n\n
|------
\n\n
RuleID *1
\n\n
*1 = Required
\n
\n
\n
Signers Elements and Attributes
\n
\n
Element Names
\n\n
Attribute Names
\n\n
Description
\n\n
Signers
\n\n
A collection of Signer elements that define individual signers trusted to sign applications and drivers.
\n\n
Signer
\n\n
Name
\n\n
Specifies the name of the signer.
\n\n
ID
\n\n
Unique identifier for the signer.
\n\n
SignTimeAfter
\n\n
Specifying the time after which the signer's certificate is valid.
\n\n
CertRoot
\n\n
Type
\n\n
Specifies the root certificate for a signer.
\n
(Required)
\n\n
Value
\n\n
Specifies the value of the root certificate in hexBinary form.
\n\n
CertEKU
\n\n
ID
\n\n
Specifies the EKU ID.
\n\n
CertIssuer
\n\n
Value
\n\n
Specifies the value of the issuer certificate.
\n\n
CertPublisher
\n\n
Value
\n\n
Specifies the value of the publisher certificate.
\n\n
CertOemID
\n\n
Value
\n\n
Specifies the value of the OEM ID.
\n\n
FileAttribRef
\n\n
RuleID
\n\n
References a file attribute rule through its ID.
\n
\n
\n
<!-- Other policy elements here -->
\n
<FileRules>
\n
<FileAttrib ID=\"ID_FILEATTRIB_A_2\" FriendlyName=\"Allow files based on file attributes: 132.0.6834.111 and chrome.exe\" FileName=\"*\" MinimumFileVersion=\"132.0.6834.111\"/>
\n
<FileAttrib ID=\"ID_FILEATTRIB_A_1_1_0\" FriendlyName=\"Deny files based on file attributes: 21.4.7.25431 and SNAGIT32.EXE\" FileName=\"*\" MinimumFileVersion=\"21.4.7.25431\"/>
The <SigningScenarios> element is used to define the different scenarios in which code signing is required or trusted. These scenarios specify the conditions under which code must be signed to be considered valid and executable. By configuring <SigningScenarios>, organizations can enforce code signing policies that ensure only authorized and trusted code is allowed to run. This helps in maintaining the integrity and security of the system by preventing the execution of unauthorized or malicious code.
\n
\n
\n
SigningScenarios
\n\n
|
\n\n
SigningScenario
\n\n
|----------
\n\n
Attributes
\n\n
|
\n\n
|----------
\n\n
ID *1
\n\n
|
\n\n
|----------
\n\n
FriendlyName
\n\n
|
\n\n
|----------
\n\n
Value *1
\n\n
|
\n\n
|----------
\n\n
InheritedScenarios
\n\n
|
\n\n
|----------
\n\n
MinimumHashAlgorithm
\n\n
|
\n\n
\n\n
\n\n
\n\n
\n\n
\n\n
|----------
\n\n
ProductSigners *1
\n\n
|
\n\n
|----------
\n\n
AllowedSigners
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
AllowedSigner
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|-------
\n\n
SignerId
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
ExceptDenyRule
\n\n
|
\n\n
|
\n\n
|-------
\n\n
Attributes
\n\n
|
\n\n
|----------
\n\n
DeniedSigners
\n\n
|-------
\n\n
DenyRuleId
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
DeniedSigner
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|-------
\n\n
SignerId
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
ExceptAllowRule
\n\n
|
\n\n
|
\n\n
|-------
\n\n
Attributes
\n\n
|
\n\n
|----------
\n\n
FileRulesRef
\n\n
|-------
\n\n
AllowRuleId
\n\n
|
\n\n
|---------------
\n\n
Atributes
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
FileRuleRef
\n\n
|
\n\n
|---------
\n\n
RuleId
\n\n
|
\n\n
\n\n
\n\n
\n\n
\n\n
\n\n
|----------
\n\n
TestSigners
\n\n
|
\n\n
|----------
\n\n
AllowedSigners
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
AllowedSigner
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|-------
\n\n
SignerId
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
ExceptDenyRule
\n\n
|
\n\n
|
\n\n
|-------
\n\n
Attributes
\n\n
|
\n\n
|----------
\n\n
DeniedSigners
\n\n
|-------
\n\n
DenyRuleId
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
DeniedSigner
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|-------
\n\n
SignerId
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
ExceptAllowRule
\n\n
|
\n\n
|
\n\n
|-------
\n\n
Attributes
\n\n
|
\n\n
|----------
\n\n
FileRulesRef
\n\n
|-------
\n\n
AllowRuleId
\n\n
|
\n\n
|---------------
\n\n
Atributes
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
FileRuleRef
\n\n
|
\n\n
|---------------
\n\n
Atributes
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
FileRuleRef
\n\n
|
\n\n
|---------
\n\n
RuleId
\n\n
|
\n\n
\n\n
\n\n
\n\n
\n\n
\n\n
|----------
\n\n
TestSigningSigners
\n\n
|
\n\n
|----------
\n\n
AllowedSigners
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
AllowedSigner
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|-------
\n\n
SignerId
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
ExceptDenyRule
\n\n
|
\n\n
|
\n\n
|-------
\n\n
Attributes
\n\n
|
\n\n
|----------
\n\n
DeniedSigners
\n\n
|-------
\n\n
DenyRuleId
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
DeniedSigner
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|
\n\n
|-------
\n\n
SignerId
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------
\n\n
ExceptAllowRule
\n\n
|
\n\n
|
\n\n
|-------
\n\n
Attributes
\n\n
|
\n\n
|----------
\n\n
FileRulesRef
\n\n
|-------
\n\n
AllowRuleId
\n\n
|
\n\n
|---------------
\n\n
Atributes
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
FileRuleRef
\n\n
|
\n\n
|---------------
\n\n
Atributes
\n\n
|
\n\n
|
\n\n
|---------
\n\n
Workaround
\n\n
|
\n\n
|
\n\n
|
\n\n
|---------------
\n\n
FileRuleRef
\n\n
|
\n\n
|---------
\n\n
RuleId
\n\n
|
\n\n
\n\n
\n\n
\n\n
\n\n
\n\n
|----------
\n\n
AppIDTags
\n\n
|----------
\n\n
Attributes
\n\n
|
\n\n
|---------------
\n\n
EnforceDLL
\n\n
|
\n\n
|----------
\n\n
AppIDTag
\n\n
|---------------
\n\n
Attributes
\n\n
|---------
\n\n
Key
\n\n
|---------
\n\n
Value
\n\n
*1 = Required
\n
\n
\n
SigningScenarios Elements and Attributes
\n
\n
Element Names
\n\n
Nested Elements
\n\n
Attribute Name
\n\n
Description
\n\n
SigningScenarios
\n\n
ID
\n\n
A unique identifier for the signing scenario.
\n\n
FriendlyName
\n\n
Helps in easily identifying and managing the signing scenario.
\n\n
InheritedScenarios
\n\n
Allows the signing scenario to inherit rules and settings from other defined scenarios, promoting reuse and consistency.
\n\n
MinimumHashAlgorithm
\n\n
Ensures that only cryptographic hashes meeting the specified algorithm criteria are considered valid.
\n\n
Value
\n\n
Required and defines the specific context or condition under which the signing scenario applies.
\n\n
ProductSigners,
\n
TestSigners, TestSigningSigners
\n\n
AllowedSigners
\n\n
WorkAround
\n\n
Provides flexibility in handling specific scenarios or exceptions that may not be directly addressed by the standard schema definitions, allowing for customized solutions to unique challenges.
\n\n
AllowedSigner
\n\n
SignerId
\n\n
Each signer can be distinctly recognized and referenced within the ACfB policy, allowing for precise control over which signers are trusted or denied.
\n\n
AllowedSigner/ExceptDenyRule
\n\n
DenyRuleId
\n\n
Used in the ExceptDenyRule element to reference a specific deny rule, making the allow rule conditional based on the deny rule.
\n\n
DeniedSigners
\n\n
WorkAround
\n\n
Provides flexibility in handling specific scenarios or exceptions that may not be directly addressed by the standard schema definitions, allowing for customized solutions to unique challenges.
\n\n
DeniedSigner
\n\n
SignerId
\n\n
Used in the AllowedSigner and DeniedSigner elements to distinctly recognize and reference each signer.
\n\n
DeniedSigner/ExceptAllowRule
\n\n
AllowRuleId
\n\n
Specification of the AllowRuleId.
\n\n
FileRulesRef
\n\n
Workaround
\n\n
Provides flexibility in handling specific scenarios or exceptions that may not be directly addressed by the standard schema definitions, allowing for customized solutions to unique challenges.
\n\n
FileRuleRef
\n\n
RuleId
\n\n
Specifies the ID of the file rule.
\n\n
AppIDTags
\n\n
EnforceDLL
\n\n
If enabled ensures that only trusted DLLs are allowed to load.
\n\n
AddIDTag
\n\n
Key
\n\n
Specifies the key for the application ID tag.
\n\n
Value
\n\n
Specifies the value for the application ID tag.
\n
\n
\n
CiSigners
\n
<CiSigners> are signers that ConfigCI asks CI to trust for all builds, including retail builds.
\n
Normally CiSigners is empty or only includes production signers. For enterprise ConfigCI policy, you may need to include enterprise signers. Just make sure it is understood that CiSigners will be trusted by CI for ALL builds.
\n
\n
\n
CiSigners
\n\n
|------
\n\n
CiSigner *1
\n\n
|------
\n\n
Attribute
\n\n
|------
\n\n
SignerId
\n\n
*1 = Required
\n
\n
\n
\n
Element Names
\n\n
Attribute Names
\n\n
Description
\n\n
CiSigners
\n\n
A collection of CiSigner elements.
\n\n
CiSigner
\n\n
SignerId
\n\n
To distinctly recognize and reference each signer within the ACfB policy.
The <Settings> sub-element is used to define various configuration settings for the policy. These settings can include options such as enabling or disabling specific features, setting enforcement levels, and other parameters that control the behavior of the policy. By configuring <Settings>, organizations can customize the policy to meet their specific security requirements and operational needs. This helps in ensuring that the policy is applied in a manner that aligns with the organization's security objectives and operational practices.
\n
\n
Settings
\n\n
|-----
\n\n
Setting
\n\n
|-----
\n\n
Attribute
\n\n
|
\n\n
|-----
\n\n
Provider *1
\n\n
|
\n\n
|-----
\n\n
Key *1
\n\n
|
\n\n
|-----
\n\n
ValueName *1
\n\n
|
\n\n
|-----
\n\n
Value
\n\n
|-----
\n\n
SettingValueType *1
\n\n
|------------
\n\n
BooleanType
\n\n
|------------
\n\n
DWordType
\n\n
|------------
\n\n
xs:hexBinary
\n\n
|------------
\n\n
xs:string
\n\n
*1 = Required
\n
\n
\n
Settings, Elements, Attributes and SettingValueType
\n
\n
Element Names
\n\n
Attribute Names
\n\n
Description
\n\n
Settings
\n\n
Collection of Setting(s).
\n\n
Setting
\n\n
Provider
\n\n
Specifies the source or context of the setting.
\n
Required
\n\n
Key
\n\n
Defines the category or type of information the setting pertains to.
\n
Required
\n\n
ValueName
\n\n
Specifies the name of the specific value being set.
\n
Required
\n\n
Setting/Value/SettingValueType
\n
Required
\n\n
BooleanType
\n\n
Represents a Boolean value, which can be either true or false.
\n\n
DWordType
\n\n
Represents a double word (32-bit unsigned integer) value.
The <EKUs> sub-element is used to define the Extended Key Usage (EKU) attributes for certificates. EKUs specify the purposes for which the certificate's public key can be used, such as code signing, server authentication, and client authentication. By specifying EKUs, organizations can ensure that certificates are only used for their intended purposes, enhancing security and trust in digital communications.
\n
\n
EKUs
\n\n
|----
\n\n
EKU
\n\n
|----
\n\n
Attributes
\n\n
|------
\n\n
ID *1
\n\n
|------
\n\n
Value *1
\n\n
|------
\n\n
FriendlyName
\n\n
*1 = Required
\n
\n
\n
EKUs Elements and Attributes
\n
\n
Element Names
\n\n
Attribute Names
\n\n
Description
\n\n
EKUs
\n\n
Collection of EKU(s)
\n\n
EKU
\n\n
ID
\n\n
A unique identifier for the Extended Key Usage.
\n
Required
\n\n
Value
\n\n
Specifies the value of the EKU in hexBinary form.
\n
Required
\n\n
FriendlyName
\n\n
An optional user-friendly name for the EKU.
\n
\n
\n
<!-- Other policy elements here -->
\n
<EKUs>
\n
<EKU ID=\"ID_EKU_STORE\" FriendlyName=\"Windows Store EKU - 1.3.6.1.4.1.311.76.3.1 Windows Store\" Value=\"010a2b0601040182374c0301\"/>
\n
</EKUs>
\n
<!-- Other policy elements here -->
\n
\n
UpdatePolicySigners
\n
The <UpdatePolicySigners> sub-element is used to define the code signing certificates that are trusted for updating policy files. This ensures that only authorized entities can make changes to the policy, enhancing the security and integrity of the system. By specifying trusted signers, organizations can prevent unauthorized modifications and maintain control over policy updates.
\n
\n
updatepolicysigners
\n\n
|---------
\n\n
updatepolicysigner
\n\n
|---------
\n\n
Attribute
\n\n
|-----
\n\n
SignerId
\n
\n
\n
UpdatePolicySigner Elements and Attributes
\n
\n
\n
Element Names
\n\n
Attribute Names
\n\n
Description
\n\n
UpdatePolicySigners
\n\n
Collection of UpdatePolicySigner(s)
\n\n
UpdatePolicySigner
\n\n
SignerId
\n\n
A unique identifier for the signer. This attribute ensures that each signer authorized to update the ACfB policy can be distinctly recognized and referenced, allowing for precise control over which signers are trusted to make policy updates.
The <HvciOptions> sub-element is used to define the Hypervisor-protected Code Integrity (HVCI) settings. Hypervisor-Protected Code Integrity (HVCI) leverages virtualization-based security (VBS) to ensure that only trusted code runs in kernel mode, providing an additional layer of protection against malware and other threats. HVCI uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust for the operating system. This isolated environment ensures that kernel mode code integrity checks are performed within a secure context, preventing unauthorized code from executing. This helps in preventing unauthorized code from executing, thereby maintaining the integrity and security of the operating environment.
\n
HVCIOptions
\n
\n
Element Name
\n\n
Description
\n\n
HVCIOptions
\n\n
A friendly name for the HVCI option.
\n
\n
\n
The <HvciOptions> element expects a numeric value that represents the specific configuration settings. Here’s a detailed explanation:
\n
Possible Values for HvciOptions
\n
\n
Enabled (Value: 1): Turns on HVCI, ensuring that only trusted code can run at the hypervisor level.
\n
Strict (Value: 2): Enforces stricter code integrity checks, providing an additional layer of security.
\n
DebugMode (Value: 4): Enables debugging features for HVCI, useful for development and troubleshooting.
\n
DisableAllowed (Value: 8): Allows HVCI to be disabled by the user outside of the Code Integrity policy enablement method.
\n
\n
These values can be combined using bitwise OR operations to enable multiple settings simultaneously.
\n
\n
<!-- Other policy elements here -->
\n
<HvciOptions>2</HvciOptions>
\n
<!-- Other policy elements here -->
\n
Macros
\n
A collection of macro definitions that can be used throughout the policy. Macros allow for text substitution, making it easier to manage and update policy configurations by using predefined values. Each macro is defined within a Macro element, which includes an ID and a value. By using macros, administrators can simplify the policy management process and ensure consistency across different policy elements.
\n
\n
\n
Macros
\n\n
|-----
\n\n
Macro
\n\n
|
\n\n
|-----
\n\n
Attributes
\n\n
|
\n\n
|
\n\n
|-----
\n\n
Id *1
\n\n
|
\n\n
|
\n\n
|-----
\n\n
Value *1
\n\n
|
\n\n
|
\n\n
|
\n\n
|-----
\n\n
Annotations
\n\n
|
\n\n
|-------
\n\n
Documentation
\n\n
|
\n\n
|---------
\n\n
(A Macro element defines a text substitution macro that can be used in other elements. Macros are referenced using NMAKE syntax, i.e. $(runtime.windows).)
\n\n
|
\n\n
|---------
\n\n
(Required. The Id for this macro, used in macro references. For example, if the Id for this macro is \"runtime.windows\", the macro would be referenced as $(runtime.windows).)
\n\n
|
\n\n
|---------
\n\n
(Required. The value that will be substituted for macro references in macro-enabled XML attributes.)
\n\n
|
\n\n
|-----
\n\n
UniqueMacroId
\n\n
|----------------
\n\n
Selector (xpath=\"ps:Macro\")
\n\n
|----------------
\n\n
Field (xpath=\"@Id\")
\n\n
*1 = Required
\n
\n
\n
Macros Elements and Constraints
\n
\n
Element Names
\n\n
Attribute Names
\n\n
Description
\n\n
Macro
\n\n
Id
\n\n
Used in macro references, allowing the macro to be called by its ID in other elements, ensuring consistency and ease of management.
\n
Required
\n\n
Value
\n\n
Specifies the text to be substituted for macro references. This ensures that the defined value is consistently used wherever the macro is referenced, simplifying updates and maintenance.
\n
Required
\n\n
“Macros” Constraints
\n
UniqueMacroId
\n\n
Specifies the unique constraint's name, which in this case is UniqueMacroId. It ensures that each macro ID within the Macros element is unique, preventing duplication.
\n\n
Selector
\n\n
Defines the XPath expression used to select the elements to which the unique constraint applies. In this case, it selects the Macro elements within the Macros element.
\n\n
Field
\n\n
Specifies the field within the selected elements that must be unique. Here, it ensures that the Id attribute of each Macro element is unique within the Macros element.
\n
\n
\n
SupplementalPolicySigners
\n
The <SupplementalPolicySigners> element defines a collection of signers that are trusted to sign supplemental policies. Supplemental policies are additional policies that extend or modify the base policy, allowing for more granular and flexible control over application execution. The <SupplementalPolicySigners> element ensures that only authorized entities can create or update these supplemental policies, maintaining the integrity and security of the overall policy framework
\n
\n
\n
SupplementalPolicySigners
\n\n
|----------------
\n\n
SupplementalPolicySigner
\n\n
|----------------
\n\n
Attributes
\n\n
|-------
\n\n
SignerId *1
\n\n
*1 = Required
\n
\n
SupplementalPolicySigners Elements and Attributes
\n
\n
Element Names
\n\n
Attribute Names
\n\n
Description
\n\n
SupplementalPolicySigner
\n\n
Collection of Collection of SupplementalPolicySigner(s)
\n\n
SignerId
\n\n
A unique identifier for the signer. Ensures that each signer authorized to sign supplemental policies can be distinctly recognized and referenced, allowing for precise control over which signers are trusted to create or update supplemental policies
\n
Required
\n
\n
\n
Schema Definition (CiPolicy.xsd - 1/27/2025) and location
\n
The current schema definition can be found on a Windows 11 device at:
\n
\n
C:\\Windows\\schemas\\CodeIntegrity\\cipolicy.xsd
\n
\n
\n
ACfB Example Policy locations
\n
On Windows 11, ACfB example policies are saved in the following locations:
These example policies can be used as a starting point to create custom policies for your organization's needs.
\n
\n
By implementing a well-structured and ordered schema, organizations can create a secure and efficient environment, much like how Raven's schema keeps her safe and happy in our backyard.
","kudosSumWeight":2,"postTime":"2025-03-18T07:30:54.182-07:00","images":{"__typename":"AssociatedImageConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments":{"__typename":"AttachmentConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"tags":{"__typename":"TagConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[{"__typename":"TagEdge","cursor":"MjUuM3wyLjF8b3wxMHxfTlZffDE","node":{"__typename":"Tag","id":"tag:PaulBergson","text":"PaulBergson","time":"2019-08-28T14:45:11.710-07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}]},"timeToRead":24,"rawTeaser":"","introduction":"","coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""},"currentRevision":{"__ref":"Revision:revision:4386252_7"},"latestVersion":{"__typename":"FriendlyVersion","major":"1","minor":"0"},"metrics":{"__typename":"MessageMetrics","views":532},"visibilityScope":"PUBLIC","canonicalUrl":"","seoTitle":"","seoDescription":null,"placeholder":false,"originalMessageForPlaceholder":null,"contributors":{"__typename":"UserConnection","edges":[]},"nonCoAuthorContributors":{"__typename":"UserConnection","edges":[]},"coAuthors":{"__typename":"UserConnection","edges":[]},"blogMessagePolicies":{"__typename":"BlogMessagePolicies","canDoAuthoringActionsOnBlog":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied","key":"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied","args":[]}}},"archivalData":null,"replies":{"__typename":"MessageConnection","edges":[{"__typename":"MessageEdge","cursor":"MjUuM3wyLjF8aXwxMHwxMzI6MHxpbnQsNDM5OTIxOCw0Mzk5MjE4","node":{"__ref":"BlogReplyMessage:message:4399218"}}],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"customFields":[],"revisions({\"constraints\":{\"isPublished\":{\"eq\":true}},\"first\":1})":{"__typename":"RevisionConnection","totalCount":7}},"Conversation:conversation:4386252":{"__typename":"Conversation","id":"conversation:4386252","solved":false,"topic":{"__ref":"BlogTopicMessage:message:4386252"},"lastPostingActivityTime":"2025-03-31T09:08:46.065-07:00","lastPostTime":"2025-03-31T09:08:46.065-07:00","unreadReplyCount":1,"isSubscribed":false},"ModerationData:moderation_data:4386252":{"__typename":"ModerationData","id":"moderation_data:4386252","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"Revision:revision:4386252_7":{"__typename":"Revision","id":"revision:4386252_7","lastEditTime":"2025-03-18T07:30:47.275-07:00"},"CachedAsset:theme:customTheme1-1747140121662":{"__typename":"CachedAsset","id":"theme:customTheme1-1747140121662","value":{"id":"customTheme1","animation":{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo":{"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnNarrowWidth":"800px","gridGutterWidthMd":"30px","gridGutterWidthXs":"10px","pageWidthStyle":"WIDTH_OF_BROWSER","__typename":"BasicsThemeSettings"},"buttons":{"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(--lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabledOpacity":0.5,"primaryTextColor":"var(--lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderThemeSettings"},"boxShadow":{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":{"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageFontStyle":"NORMAL","defaultMessageFontWeight":"400","defaultMessageFontFamily":"var(--lia-bs-font-family-base)","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#D13A1F","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesThemeSettings"},"colors":{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCCCC","gray600":"#717171","gray700":"#707070","gray800":"#545454","gray900":"#333333","dark":"#545454","light":"#F7F7F7","primary":"#0069D4","secondary":"#333333","bodyText":"#1E1E1E","bodyBg":"#FFFFFF","info":"#409AE2","success":"#41C5AE","warning":"#FCC844","danger":"#BC341B","alertSystem":"#FF6600","textMuted":"#707070","highlight":"#FFFCAD","outline":"var(--lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider":{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#ffffff","primaryBgColor":"#0069D4","primaryBgHoverColor":"#005cb8","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#a78058","skinToneDark":"#5e4d43","__typename":"EmojiThemeSettings"},"heading":{"color":"var(--lia-bs-body-color)","fontFamily":"Segoe UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20px","h6FontSize":"16px","lineHeight":"1.3","subHeaderFontSize":"11px","subHeaderFontWeight":"500","h1LetterSpacing":"normal","h2LetterSpacing":"normal","h3LetterSpacing":"normal","h4LetterSpacing":"normal","h5LetterSpacing":"normal","h6LetterSpacing":"normal","subHeaderLetterSpacing":"2px","h1FontWeight":"var(--lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","size60":"60px","size80":"80px","size120":"120px","size160":"160px","__typename":"IconsThemeSettings"},"imagePreview":{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typename":"BackgroundProps"},"backgroundOpacity":0.8,"paddingTop":"15px","paddingBottom":"15px","borderBottom":"1px solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxShadowHover":"none","linkTextBorderBottom":"none","linkTextBorderBottomHover":"none","dropdownPaddingTop":"10px","dropdownPaddingBottom":"15px","dropdownPaddingX":"10px","dropdownMenuOffset":"2px","dropdownDividerMarginTop":"10px","dropdownDividerMarginBottom":"10px","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collapseMenuMarginLeft":"20px","collapseMenuDividerBg":"var(--lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"0.7","propColor":"#990055","selectorColor":"#517a00","operatorColor":"#906736","operatorBgColor":"hsla(0, 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","customColor6":"#2dc26b","customColor7":"#f1c40f","customColor8":"#e03e2d","customColor9":"#b96ad9","customColor10":"#3598db","customColor11":"#169179","customColor12":"#e67e23","customColor13":"#ba372a","customColor14":"#843fa1","customColor15":"#236fa1","customColor16":"#ecf0f1","customColor17":"#ced4d9","customColor18":"#95a5a6","customColor19":"#7e8c8d","customColor20":"#34495e","customColor21":"#000000","customColor22":"#ffffff","defaultMessageHeaderMarginTop":"40px","defaultMessageHeaderMarginBottom":"20px","defaultMessageItemMarginTop":"0","defaultMessageItemMarginBottom":"10px","diffAddedColor":"hsla(170, 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageItemMarginBottom":"10px","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":{"fontFamilyBase":"Segoe UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold":"700","letterSpacingSm":"normal","letterSpacingXs":"normal","lineHeightBase":"1.5","fontSizeBase":"16px","fontSizeXxs":"11px","fontSizeXs":"12px","fontSizeSm":"14px","fontSizeLg":"20px","fontSizeXl":"24px","smallFontSize":"14px","customFonts":[{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"},{"style":"NORMAL","weight":"300","__typename":"FontStyleData"},{"style":"NORMAL","weight":"600","__typename":"FontStyleData"},{"style":"NORMAL","weight":"700","__typename":"FontStyleData"},{"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem":{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename":"UnstyledListItemThemeSettings"},"yiq":{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLightest":0.93,"successDark":0.24,"successLight":0.62,"successLighter":0.8,"successLightest":0.91,"warningDark":0.39,"warningLight":0.68,"warningLighter":0.84,"warningLightest":0.93,"dangerDark":0.41,"dangerLight":0.72,"dangerLighter":0.89,"dangerLightest":0.95,"__typename":"ColorLightnessThemeSettings"},"localOverride":false,"__typename":"Theme"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1745505307000","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:quilt:o365.prod:pages/blogs/BlogMessagePage:board:CoreInfrastructureandSecurityBlog-1747140119329":{"__typename":"CachedAsset","id":"quilt:o365.prod:pages/blogs/BlogMessagePage:board:CoreInfrastructureandSecurityBlog-1747140119329","value":{"id":"BlogMessagePage","container":{"id":"Common","headerProps":{"backgroundImageProps":null,"backgroundColor":null,"addComponents":null,"removeComponents":["community.widget.bannerWidget"],"componentOrder":null,"__typename":"QuiltContainerSectionProps"},"headerComponentProps":{"community.widget.breadcrumbWidget":{"disableLastCrumbForDesktop":false}},"footerProps":null,"footerComponentProps":null,"items":[{"id":"blog-article","layout":"ONE_COLUMN","bgColor":null,"showTitle":null,"showDescription":null,"textPosition":null,"textColor":null,"sectionEditLevel":"LOCKED","bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"OneColumnQuiltSection","columnMap":{"main":[{"id":"blogs.widget.blogArticleWidget","className":"lia-blog-container","props":null,"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"}},{"id":"section-1729184836777","layout":"MAIN_SIDE","bgColor":"transparent","showTitle":false,"showDescription":false,"textPosition":"CENTER","textColor":"var(--lia-bs-body-color)","sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"MainSideQuiltSection","columnMap":{"main":[],"side":[],"__typename":"MainSideSectionColumns"}}],"__typename":"QuiltContainer"},"__typename":"Quilt","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/EmailVerification-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1745505307000","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-pages/blogs/BlogMessagePage-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-pages/blogs/BlogMessagePage-1745505307000","value":{"title":"{contextMessageSubject} | {communityTitle}","errorMissing":"This blog post cannot be found","name":"Blog Message Page","section.blog-article.title":"Blog Post","archivedMessageTitle":"This Content Has Been Archived","section.section-1729184836777.title":"","section.section-1729184836777.description":"","section.CncIde.title":"Blog Post","section.tifEmD.description":"","section.tifEmD.title":""},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1747140048622":{"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1747140048622","value":{"id":"Common","header":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"community.widget.navbarWidget","props":{"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"className":"QuiltComponent_lia-component-edit-mode__0nCcm","links":{"sideLinks":[],"mainLinks":[{"children":[],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children":[],"linkType":"EXTERNAL","id":"external-link","url":"/Directory","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft365","params":{"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft365-copilot-link","params":{"categoryId":"Microsoft365Copilot"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-teams","params":{"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-securityand-compliance","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"azure","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-content_management-link","params":{"categoryId":"Content_Management"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"exchange","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows-server","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"outlook","params":{"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-endpoint-manager","params":{"categoryId":"microsoftintune"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-2","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities","url":"/","target":"BLANK"},{"children":[{"linkType":"INTERNAL","id":"a-i","params":{"categoryId":"AI"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"education-sector","params":{"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"partner-community","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"i-t-ops-talk","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"healthcare-and-life-sciences","params":{"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-mechanics","params":{"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"public-sector","params":{"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-m-b","params":{"categoryId":"MicrosoftforNonprofits"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"io-t","params":{"categoryId":"IoT"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"startupsat-microsoft","params":{"categoryId":"StartupsatMicrosoft"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"driving-adoption","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-1","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities-1","url":"/","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external","url":"/Blogs","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external-1","url":"/Events","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft-learn-1","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-learn-blog","params":{"boardId":"MicrosoftLearnBlog","categoryId":"MicrosoftLearn"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"external-10","url":"https://learningroomdirectory.microsoft.com/","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-3","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-4","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-5","url":"https://docs.microsoft.com/learn/topics/sci/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-6","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-7","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-8","url":"https://docs.microsoft.com/learn/teams/?wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-9","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-2","url":"https://docs.microsoft.com/learn/azure/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"microsoft-learn","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"children":[],"linkType":"INTERNAL","id":"community-info-center","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"}]},"style":{"boxShadow":"var(--lia-bs-box-shadow-sm)","controllerHighlightColor":"hsla(30, 100%, 50%)","linkFontWeight":"400","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkBoxShadowHover":"none","linkFontSize":"14px","backgroundOpacity":0.8,"controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerBgColor":"transparent","hamburgerColor":"var(--lia-nav-controller-icon-color)","linkTextBorderBottom":"none","brandLogoHeight":"30px","linkBgHoverColor":"transparent","linkLetterSpacing":"normal","collapseMenuDividerOpacity":0.16,"dropdownPaddingBottom":"15px","paddingBottom":"15px","dropdownMenuOffset":"2px","hamburgerBgHoverColor":"transparent","borderBottom":"1px solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","collapseMenuDividerBg":"var(--lia-nav-link-color)","linkColor":"var(--lia-bs-body-color)","linkJustifyContent":"flex-start","dropdownPaddingTop":"10px","controllerHighlightTextColor":"var(--lia-yiq-dark)","controllerTextColor":"var(--lia-nav-controller-icon-color)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-body-color)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","linkPaddingX":"10px","linkPaddingY":"5px","paddingTop":"15px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkBgColor":"transparent","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-color)"},"showSearchIcon":false,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"},{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.HeroBanner","props":{"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.HeroBanner"},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"footer":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"custom.widget.MicrosoftFooter","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"__typename":"QuiltWrapper","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/ActionFeedback-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1745505307000","value":{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"QueryVariables:TopicReplyList:message:4386252:7":{"__typename":"QueryVariables","id":"TopicReplyList:message:4386252:7","value":{"id":"message:4386252","first":10,"sorts":{"postTime":{"direction":"DESC"}},"repliesFirst":3,"repliesFirstDepthThree":1,"repliesSorts":{"postTime":{"direction":"DESC"}},"useAvatar":true,"useAuthorLogin":true,"useAuthorRank":true,"useBody":true,"useKudosCount":true,"useTimeToRead":false,"useMedia":false,"useReadOnlyIcon":false,"useRepliesCount":true,"useSearchSnippet":false,"useAcceptedSolutionButton":false,"useSolvedBadge":false,"useAttachments":false,"attachmentsFirst":5,"useTags":true,"useNodeAncestors":false,"useUserHoverCard":false,"useNodeHoverCard":false,"useModerationStatus":true,"usePreviewSubjectModal":false,"useMessageStatus":true}},"ROOT_MUTATION":{"__typename":"Mutation"},"CachedAsset:component:custom.widget.HeroBanner-en-us-1747150702662":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-us-1747150702662","value":{"component":{"id":"custom.widget.HeroBanner","template":{"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your search term(s) and then press return key to complete a search.","blogs.sidebar.pagetitle":"Latest Blogs | Microsoft Tech Community","followThisNode":"Follow this node","unfollowThisNode":"Unfollow this node"},"defaults":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.HeroBanner","form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"__typename":"Component","localOverride":false},"globalCss":null,"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"}},"localOverride":false},"CachedAsset:component:custom.widget.MicrosoftFooter-en-us-1747150702662":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-us-1747150702662","value":{"component":{"id":"custom.widget.MicrosoftFooter","template":{"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\n min-width: 280px;\n font-size: 15px;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.c-uhff-link {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.c-uhff {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.c-uhff-nav {\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n .c-heading-4 {\n color: #616161;\n word-break: break-word;\n font-size: 15px;\n line-height: 20px;\n padding: 36px 0 4px;\n font-weight: 600;\n }\n .c-uhff-nav-row {\n .c-uhff-nav-group {\n display: block;\n float: left;\n min-height: 1px;\n vertical-align: text-top;\n padding: 0 12px;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.c-list.f-bare {\n font-size: 11px;\n line-height: 16px;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 8px 0;\n margin: 0;\n }\n }\n }\n }\n}\n.c-uhff-base {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 30px 5% 16px;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.c-uhff-ccpa {\n font-size: 11px;\n line-height: 16px;\n float: left;\n margin: 3px 0;\n }\n a.c-uhff-ccpa:hover {\n text-decoration: underline;\n }\n ul.c-list {\n font-size: 11px;\n line-height: 16px;\n float: right;\n margin: 3px 0;\n color: #616161;\n li {\n padding: 0 24px 4px 0;\n display: inline-block;\n }\n }\n .c-list.f-bare {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 30px 24px 16px;\n }\n}\n\n.social-share {\n position: fixed;\n top: 60%;\n transform: translateY(-50%);\n left: 0;\n z-index: 1000;\n}\n\n.sharing-options {\n list-style: none;\n padding: 0;\n margin: 0;\n display: block;\n flex-direction: column;\n background-color: white;\n width: 43px;\n border-radius: 0px 7px 7px 0px;\n}\n.linkedin-icon {\n border-top-right-radius: 7px;\n}\n.linkedin-icon:hover {\n border-radius: 0;\n}\n.social-share-rss-image {\n border-bottom-right-radius: 7px;\n}\n.social-share-rss-image:hover {\n border-radius: 0;\n}\n\n.social-link-footer {\n position: relative;\n display: block;\n margin: -2px 0;\n transition: all 0.2s ease;\n}\n.social-link-footer:hover .linkedin-icon {\n border-radius: 0;\n}\n.social-link-footer:hover .social-share-rss-image {\n border-radius: 0;\n}\n\n.social-link-footer img {\n width: 40px;\n height: auto;\n transition: filter 0.3s ease;\n}\n\n.social-share-list {\n width: 40px;\n}\n.social-share-rss-image {\n width: 40px;\n}\n\n.share-icon {\n border: 2px solid transparent;\n display: inline-block;\n position: relative;\n}\n\n.share-icon:hover {\n opacity: 1;\n border: 2px solid white;\n box-sizing: border-box;\n}\n\n.share-icon:hover .label {\n opacity: 1;\n visibility: visible;\n border: 2px solid white;\n box-sizing: border-box;\n border-left: none;\n}\n\n.label {\n position: absolute;\n left: 100%;\n white-space: nowrap;\n opacity: 0;\n visibility: hidden;\n transition: all 0.2s ease;\n color: white;\n border-radius: 0 10 0 10px;\n top: 50%;\n transform: translateY(-50%);\n height: 40px;\n border-radius: 0 6px 6px 0;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 20px 5px 20px 8px;\n margin-left: -1px;\n}\n.linkedin {\n background-color: #0474b4;\n}\n.facebook {\n background-color: #3c5c9c;\n}\n.twitter {\n background-color: white;\n color: black;\n}\n.reddit {\n background-color: #fc4404;\n}\n.mail {\n background-color: #848484;\n}\n.bluesky {\n background-color: white;\n color: black;\n}\n.rss {\n background-color: #ec7b1c;\n}\n#RSS {\n width: 40px;\n height: 40px;\n}\n\n@media (max-width: 991px) {\n .social-share {\n display: none;\n }\n}\n","texts":{"New tab":"What's New","New 1":"Surface Laptop Studio 2","New 2":"Surface Laptop Go 3","New 3":"Surface Pro 9","New 4":"Surface Laptop 5","New 5":"Surface Studio 2+","New 6":"Copilot in Windows","New 7":"Microsoft 365","New 8":"Windows 11 apps","Store tab":"Microsoft Store","Store 1":"Account Profile","Store 2":"Download Center","Store 3":"Microsoft Store Support","Store 4":"Returns","Store 5":"Order tracking","Store 6":"Certified Refurbished","Store 7":"Microsoft Store Promise","Store 8":"Flexible Payments","Education tab":"Education","Edu 1":"Microsoft in education","Edu 2":"Devices for education","Edu 3":"Microsoft Teams for Education","Edu 4":"Microsoft 365 Education","Edu 5":"How to buy for your school","Edu 6":"Educator Training and development","Edu 7":"Deals for students and parents","Edu 8":"Azure for students","Business tab":"Business","Bus 1":"Microsoft Cloud","Bus 2":"Microsoft Security","Bus 3":"Dynamics 365","Bus 4":"Microsoft 365","Bus 5":"Microsoft Power Platform","Bus 6":"Microsoft Teams","Bus 7":"Microsoft Industry","Bus 8":"Small Business","Developer tab":"Developer & IT","Dev 1":"Azure","Dev 2":"Developer Center","Dev 3":"Documentation","Dev 4":"Microsoft Learn","Dev 5":"Microsoft Tech Community","Dev 6":"Azure Marketplace","Dev 7":"AppSource","Dev 8":"Visual Studio","Company tab":"Company","Com 1":"Careers","Com 2":"About Microsoft","Com 3":"Company News","Com 4":"Privacy at Microsoft","Com 5":"Investors","Com 6":"Diversity and inclusion","Com 7":"Accessiblity","Com 8":"Sustainibility"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_MicrosoftFooter_context-uhf_105bp_1 {\n min-width: 17.5rem;\n font-size: 0.9375rem;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-link_105bp_12 {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff_105bp_12 {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.custom_widget_MicrosoftFooter_c-uhff-nav_105bp_35 {\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n .custom_widget_MicrosoftFooter_c-heading-4_105bp_49 {\n color: #616161;\n word-break: break-word;\n font-size: 0.9375rem;\n line-height: 1.25rem;\n padding: 2.25rem 0 0.25rem;\n font-weight: 600;\n }\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_105bp_57 {\n .custom_widget_MicrosoftFooter_c-uhff-nav-group_105bp_58 {\n display: block;\n float: left;\n min-height: 0.0625rem;\n vertical-align: text-top;\n padding: 0 0.75rem;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.custom_widget_MicrosoftFooter_c-list_105bp_78.custom_widget_MicrosoftFooter_f-bare_105bp_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 0.5rem 0;\n margin: 0;\n }\n }\n }\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff-base_105bp_94 {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 1.875rem 5% 1rem;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: left;\n margin: 0.1875rem 0;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107:hover {\n text-decoration: underline;\n }\n ul.custom_widget_MicrosoftFooter_c-list_105bp_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: right;\n margin: 0.1875rem 0;\n color: #616161;\n li {\n padding: 0 1.5rem 0.25rem 0;\n display: inline-block;\n }\n }\n .custom_widget_MicrosoftFooter_c-list_105bp_78.custom_widget_MicrosoftFooter_f-bare_105bp_78 {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 1.875rem 1.5rem 1rem;\n }\n}\n.custom_widget_MicrosoftFooter_social-share_105bp_138 {\n position: fixed;\n top: 60%;\n transform: translateY(-50%);\n left: 0;\n z-index: 1000;\n}\n.custom_widget_MicrosoftFooter_sharing-options_105bp_146 {\n list-style: none;\n padding: 0;\n margin: 0;\n display: block;\n flex-direction: column;\n background-color: white;\n width: 2.6875rem;\n border-radius: 0 0.4375rem 0.4375rem 0;\n}\n.custom_widget_MicrosoftFooter_linkedin-icon_105bp_156 {\n border-top-right-radius: 7px;\n}\n.custom_widget_MicrosoftFooter_linkedin-icon_105bp_156:hover {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n border-bottom-right-radius: 7px;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162:hover {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169 {\n position: relative;\n display: block;\n margin: -0.125rem 0;\n transition: all 0.2s ease;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169:hover .custom_widget_MicrosoftFooter_linkedin-icon_105bp_156 {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169:hover .custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169 img {\n width: 2.5rem;\n height: auto;\n transition: filter 0.3s ease;\n}\n.custom_widget_MicrosoftFooter_social-share-list_105bp_188 {\n width: 2.5rem;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n width: 2.5rem;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195 {\n border: 2px solid transparent;\n display: inline-block;\n position: relative;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195:hover {\n opacity: 1;\n border: 2px solid white;\n box-sizing: border-box;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195:hover .custom_widget_MicrosoftFooter_label_105bp_207 {\n opacity: 1;\n visibility: visible;\n border: 2px solid white;\n box-sizing: border-box;\n border-left: none;\n}\n.custom_widget_MicrosoftFooter_label_105bp_207 {\n position: absolute;\n left: 100%;\n white-space: nowrap;\n opacity: 0;\n visibility: hidden;\n transition: all 0.2s ease;\n color: white;\n border-radius: 0 10 0 0.625rem;\n top: 50%;\n transform: translateY(-50%);\n height: 2.5rem;\n border-radius: 0 0.375rem 0.375rem 0;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 1.25rem 0.3125rem 1.25rem 0.5rem;\n margin-left: -0.0625rem;\n}\n.custom_widget_MicrosoftFooter_linkedin_105bp_156 {\n background-color: #0474b4;\n}\n.custom_widget_MicrosoftFooter_facebook_105bp_237 {\n background-color: #3c5c9c;\n}\n.custom_widget_MicrosoftFooter_twitter_105bp_240 {\n background-color: white;\n color: black;\n}\n.custom_widget_MicrosoftFooter_reddit_105bp_244 {\n background-color: #fc4404;\n}\n.custom_widget_MicrosoftFooter_mail_105bp_247 {\n background-color: #848484;\n}\n.custom_widget_MicrosoftFooter_bluesky_105bp_250 {\n background-color: white;\n color: black;\n}\n.custom_widget_MicrosoftFooter_rss_105bp_254 {\n background-color: #ec7b1c;\n}\n#custom_widget_MicrosoftFooter_RSS_105bp_1 {\n width: 2.5rem;\n height: 2.5rem;\n}\n@media (max-width: 991px) {\n .custom_widget_MicrosoftFooter_social-share_105bp_138 {\n display: none;\n }\n}\n","tokens":{"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_105bp_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_105bp_12","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_105bp_12","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_105bp_35","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_105bp_49","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_105bp_57","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_105bp_58","c-list":"custom_widget_MicrosoftFooter_c-list_105bp_78","f-bare":"custom_widget_MicrosoftFooter_f-bare_105bp_78","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_105bp_94","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107","social-share":"custom_widget_MicrosoftFooter_social-share_105bp_138","sharing-options":"custom_widget_MicrosoftFooter_sharing-options_105bp_146","linkedin-icon":"custom_widget_MicrosoftFooter_linkedin-icon_105bp_156","social-share-rss-image":"custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162","social-link-footer":"custom_widget_MicrosoftFooter_social-link-footer_105bp_169","social-share-list":"custom_widget_MicrosoftFooter_social-share-list_105bp_188","share-icon":"custom_widget_MicrosoftFooter_share-icon_105bp_195","label":"custom_widget_MicrosoftFooter_label_105bp_207","linkedin":"custom_widget_MicrosoftFooter_linkedin_105bp_156","facebook":"custom_widget_MicrosoftFooter_facebook_105bp_237","twitter":"custom_widget_MicrosoftFooter_twitter_105bp_240","reddit":"custom_widget_MicrosoftFooter_reddit_105bp_244","mail":"custom_widget_MicrosoftFooter_mail_105bp_247","bluesky":"custom_widget_MicrosoftFooter_bluesky_105bp_250","rss":"custom_widget_MicrosoftFooter_rss_105bp_254","RSS":"custom_widget_MicrosoftFooter_RSS_105bp_1"}},"form":null},"localOverride":false},"CachedAsset:text:en_US-components/community/Breadcrumb-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1745505307000","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBanner-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBanner-1745505307000","value":{"messageMarkedAsSpam":"This post has been marked as spam","messageMarkedAsSpam@board:TKB":"This article has been marked as spam","messageMarkedAsSpam@board:BLOG":"This post has been marked as spam","messageMarkedAsSpam@board:FORUM":"This discussion has been marked as spam","messageMarkedAsSpam@board:OCCASION":"This event has been marked as spam","messageMarkedAsSpam@board:IDEA":"This idea has been marked as spam","manageSpam":"Manage Spam","messageMarkedAsAbuse":"This post has been marked as abuse","messageMarkedAsAbuse@board:TKB":"This article has been marked as abuse","messageMarkedAsAbuse@board:BLOG":"This post has been marked as abuse","messageMarkedAsAbuse@board:FORUM":"This discussion has been marked as abuse","messageMarkedAsAbuse@board:OCCASION":"This event has been marked as abuse","messageMarkedAsAbuse@board:IDEA":"This idea has been marked as abuse","preModCommentAuthorText":"This comment will be published as soon as it is approved","preModCommentModeratorText":"This comment is awaiting moderation","messageMarkedAsOther":"This post has been rejected due to other reasons","messageMarkedAsOther@board:TKB":"This article has been rejected due to other reasons","messageMarkedAsOther@board:BLOG":"This post has been rejected due to other reasons","messageMarkedAsOther@board:FORUM":"This discussion has been rejected due to other reasons","messageMarkedAsOther@board:OCCASION":"This event has been rejected due to other reasons","messageMarkedAsOther@board:IDEA":"This idea has been rejected due to other reasons","messageArchived":"This post was archived on {date}","relatedUrl":"View Related Content","relatedContentText":"Showing related content","archivedContentLink":"View Archived Content"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewStandard-1745505307000","value":{"anonymous":"Anonymous","author":"{messageAuthorLogin}","authorBy":"{messageAuthorLogin}","board":"{messageBoardTitle}","replyToUser":" to {parentAuthor}","showMoreReplies":"Show More","replyText":"Reply","repliesText":"Replies","markedAsSolved":"Marked as Solution","movedMessagePlaceholder.BLOG":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.TKB":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.FORUM":"{count, plural, =0 {This reply has been} other {These replies have been} }","movedMessagePlaceholder.IDEA":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.OCCASION":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholderUrlText":"moved.","messageStatus":"Status: ","statusChanged":"Status changed: {previousStatus} to {currentStatus}","statusAdded":"Status added: {status}","statusRemoved":"Status removed: {status}","labelExpand":"expand replies","labelCollapse":"collapse replies","unhelpfulReason.reason1":"Content is outdated","unhelpfulReason.reason2":"Article is missing information","unhelpfulReason.reason3":"Content is for a different Product","unhelpfulReason.reason4":"Doesn't match what I was searching for"},"localOverride":false},"CachedAsset:text:en_US-components/messages/ThreadedReplyList-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/ThreadedReplyList-1745505307000","value":{"title":"{count, plural, one{# Reply} other{# Replies}}","title@board:BLOG":"{count, plural, one{# Comment} other{# Comments}}","title@board:TKB":"{count, plural, one{# Comment} other{# Comments}}","title@board:IDEA":"{count, plural, one{# Comment} other{# Comments}}","title@board:OCCASION":"{count, plural, one{# Comment} other{# Comments}}","noRepliesTitle":"No Replies","noRepliesTitle@board:BLOG":"No Comments","noRepliesTitle@board:TKB":"No Comments","noRepliesTitle@board:IDEA":"No Comments","noRepliesTitle@board:OCCASION":"No Comments","noRepliesDescription":"Be the first to reply","noRepliesDescription@board:BLOG":"Be the first to comment","noRepliesDescription@board:TKB":"Be the first to comment","noRepliesDescription@board:IDEA":"Be the first to comment","noRepliesDescription@board:OCCASION":"Be the first to comment","messageReadOnlyAlert:BLOG":"Comments have been turned off for this post","messageReadOnlyAlert:TKB":"Comments have been turned off for this article","messageReadOnlyAlert:IDEA":"Comments have been turned off for this idea","messageReadOnlyAlert:FORUM":"Replies have been turned off for this discussion","messageReadOnlyAlert:OCCASION":"Comments have been turned off for this event"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyCallToAction-1745505307000","value":{"leaveReply":"Leave a reply...","leaveReply@board:BLOG@message:root":"Leave a comment...","leaveReply@board:TKB@message:root":"Leave a comment...","leaveReply@board:IDEA@message:root":"Leave a comment...","leaveReply@board:OCCASION@message:root":"Leave a comment...","repliesTurnedOff.FORUM":"Replies are turned off for this topic","repliesTurnedOff.BLOG":"Comments are turned off for this topic","repliesTurnedOff.TKB":"Comments are turned off for this topic","repliesTurnedOff.IDEA":"Comments are turned off for this topic","repliesTurnedOff.OCCASION":"Comments are turned off for this topic","infoText":"Stop poking me!"},"localOverride":false},"Category:category:Exchange":{"__typename":"Category","id":"category:Exchange","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook":{"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center":{"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector":{"__typename":"Category","id":"category:EducationSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption":{"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure":{"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server":{"__typename":"Category","id":"category:Windows-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams":{"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector":{"__typename":"Category","id":"category:PublicSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365":{"__typename":"Category","id":"category:microsoft365","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT":{"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences":{"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk":{"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftLearn":{"__typename":"Category","id":"category:MicrosoftLearn","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftLearnBlog":{"__typename":"Blog","id":"board:MicrosoftLearnBlog","blogPolicies":{"__typename":"BlogPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:AI":{"__typename":"Category","id":"category:AI","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics":{"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftforNonprofits":{"__typename":"Category","id":"category:MicrosoftforNonprofits","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:StartupsatMicrosoft":{"__typename":"Category","id":"category:StartupsatMicrosoft","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity":{"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Microsoft365Copilot":{"__typename":"Category","id":"category:Microsoft365Copilot","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows":{"__typename":"Category","id":"category:Windows","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Content_Management":{"__typename":"Category","id":"category:Content_Management","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoftintune":{"__typename":"Category","id":"category:microsoftintune","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Rank:rank:37":{"__typename":"Rank","id":"rank:37","position":18,"name":"Copper Contributor","color":"333333","icon":null,"rankStyle":"TEXT"},"User:user:7078":{"__typename":"User","id":"user:7078","uid":7078,"login":"davidhoeft61","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2016-08-18T11:11:37.596-07:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS03MDc4LTIwNTJpMjI5QUQwQTE2REIyNUQyMA"},"rank":{"__ref":"Rank:rank:37"},"entityType":"USER","eventPath":"community:gxcuf89792/user:7078"},"ModerationData:moderation_data:4399218":{"__typename":"ModerationData","id":"moderation_data:4399218","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":"member"},"BlogReplyMessage:message:4399218":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:7078"},"id":"message:4399218","revisionNum":1,"uid":4399218,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:CoreInfrastructureandSecurityBlog"},"parent":{"__ref":"BlogTopicMessage:message:4386252"},"conversation":{"__ref":"Conversation:conversation:4386252"},"subject":"Re: Application Control for Business, Schema Definition","moderationData":{"__ref":"ModerationData:moderation_data:4399218"},"body":"
Thank you! I am using wizard to create first base policy and first supplemental policy. There are lots of choices to make and I am trying to keep from making a choice with \"unintended consequences\". Having this more detailed explanation of file structure and choices in wizard has been helpful today.
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"203","kudosSumWeight":1,"repliesCount":0,"postTime":"2025-03-31T09:08:46.065-07:00","lastPublishTime":"2025-03-31T09:08:46.065-07:00","metrics":{"__typename":"MessageMetrics","views":40},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:cis/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:CoreInfrastructureandSecurityBlog/message:4386252/message:4399218","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"CachedAsset:text:en_US-components/community/Navbar-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1745505307000","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","external-1":"Events","s-m-b":"Nonprofit Community","windows-server":"Windows Server","education-sector":"Education Sector","driving-adoption":"Driving Adoption","Common-content_management-link":"Content Management","microsoft-learn":"Microsoft Learn","s-q-l-server":"Content Management","partner-community":"Microsoft Partner Community","microsoft365":"Microsoft 365","external-9":".NET","external-8":"Teams","external-7":"Github","products-services":"Products","external-6":"Power Platform","communities-1":"Topics","external-5":"Microsoft Security","planner":"Outlook","external-4":"Microsoft 365","external-3":"Dynamics 365","azure":"Azure","healthcare-and-life-sciences":"Healthcare and Life Sciences","external-2":"Azure","microsoft-mechanics":"Microsoft Mechanics","microsoft-learn-1":"Community","external-10":"Learning Room Directory","microsoft-learn-blog":"Blog","windows":"Windows","i-t-ops-talk":"ITOps Talk","external-link-1":"View All","microsoft-securityand-compliance":"Microsoft Security","public-sector":"Public Sector","community-info-center":"Lounge","external-link-2":"View All","microsoft-teams":"Microsoft Teams","external":"Blogs","microsoft-endpoint-manager":"Microsoft Intune","startupsat-microsoft":"Startups at Microsoft","exchange":"Exchange","a-i":"AI and Machine Learning","io-t":"Internet of Things (IoT)","Common-microsoft365-copilot-link":"Microsoft 365 Copilot","outlook":"Microsoft 365 Copilot","external-link":"Community Hubs","communities":"Products"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1745505307000","value":{"hamburgerLabel":"Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1745505307000","value":{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1745505307000","value":{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1745505307000","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1745505307000","value":{"place":"Place {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCoverImage-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCoverImage-1745505307000","value":{"coverImageTitle":"Cover Image"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeTitle-1745505307000","value":{"nodeTitle":"{nodeTitle, select, community {Community} other {{nodeTitle}}} "},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTimeToRead-1745505307000","value":{"minReadText":"{min} MIN READ"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1745505307000","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1745505307000","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1745505307000","value":{"rankName":"{rankName}","userRank":"Author rank {rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1745505307000","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1745505307000","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1745505307000","value":{"CustomField.default.label":"Value of {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1745505307000","value":{"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}} {date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}.{minor}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1745505307000","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1745505307000","value":{"repliesCount":"{count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message:root":"Comment","title@board:OCCASION@message:root":"Comment"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1745505307000","value":{"sendMessage":"Send Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name} {type}"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1745505307000","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1745505307000","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1745505307000","value":{"altTitle":"Icon for {rankName} rank"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1745505307000","value":{"tagLabelName":"Tag name {tagName}"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1745505307000","value":{"noPrefix":"{date}","withPrefix":"Joined {date}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeAvatar-1745505307000","value":{"altTitle":"Node avatar for {nodeTitle}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeDescription-1745505307000","value":{"description":"{description}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListMenu-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListMenu-1745505307000","value":{"postTimeAsc":"Oldest","postTimeDesc":"Newest","kudosSumWeightAsc":"Least Liked","kudosSumWeightDesc":"Most Liked","sortTitle":"Sort By","sortedBy.item":" { itemName, select, postTimeAsc {Oldest} postTimeDesc {Newest} kudosSumWeightAsc {Least Liked} kudosSumWeightDesc {Most Liked} other {}}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1745505307000","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}} icon"},"localOverride":false}}}},"page":"/blogs/BlogMessagePage/BlogMessagePage","query":{"boardId":"coreinfrastructureandsecurityblog","messageSubject":"application-control-for-business-schema-definition","messageId":"4386252"},"buildId":"YK32GCbhJqbL-HLk4DLXM","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"o365","openTelemetryServiceVersion":"25.3.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/customComponent/CustomComponent/CustomComponent.tsx","./components/blogs/BlogArticleWidget/BlogArticleWidget.tsx","./components/messages/MessageView/MessageViewStandard/MessageViewStandard.tsx","./components/messages/ThreadedReplyList/ThreadedReplyList.tsx","./components/external/components/ExternalComponent.tsx","../shared/client/components/common/List/UnwrappedList/UnwrappedList.tsx","./components/tags/TagView/TagView.tsx","./components/tags/TagView/TagViewChip/TagViewChip.tsx","../shared/client/components/common/List/UnstyledList/UnstyledList.tsx","./components/messages/MessageView/MessageView.tsx","./components/customComponent/CustomComponentContent/TemplateContent.tsx"],"appGip":true,"scriptLoader":[{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1730819800000/analytics.js?page.id=BlogMessagePage&entity.id=board%3Acoreinfrastructureandsecurityblog&entity.id=message%3A4386252","strategy":"afterInteractive"}]}
Microsoft