A Pass-Through System Integrity Policy File

The demonstration for Licensed Driver Signing in Windows 10 requires a System Integrity policy file. This must be compiled from XML to produce a binary that then must be signed and installed. Though the conversion from XML to binary can be done simply by running a PowerShell command, it’s not simple for everyone because the PowerShell command is very particular about which Windows editions it will run on. So that readers can proceed with the demonstration even without ready access to the particular editions, the sample policy for the demonstration is about as close as can be to having no effect. 

<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx>
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F4AA6C5A234}</PlatformID>
  <Rules>
    <!-- So that the demonstration can be tested by readers who can't edit the 
      policy, we don't restrict who can sign it. An easy way is to enable the
      option that lets the policy be unsigned. -->
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
  </Rules>
  <EKUs />
  <FileRules />
  <Signers>
    <!-- For Wellknown CertRoot "01" the certificate chain is too long or 
      reaches a certificate whose issuer is not in the chain and does not 
      have the same name as any known Microsoft root. -->
    <Signer ID="ID_SIGNER_KNOWNROOT_1" Name="Unknown Root">
      <CertRoot Type="Wellknown" Value="01" />
    </Signer>
    <!-- For Wellknown CertRoot "02" the certificate chain reaches a 
      certificate that is its own issuer but which does not have the same 
      public key as any known Microsoft root. -->
    <Signer ID="ID_SIGNER_KNOWNROOT_2" Name="Self-Signed Root">
      <CertRoot Type="Wellknown" Value="02" />
    </Signer>
    <!-- Each Wellknown CertRoot "03" and higher is a known Microsoft root. 
      The numbering here is what's known to Windows 10 up to and including 
      its 1709 release. -->
    <Signer ID="ID_SIGNER_KNOWNROOT_3" Name="Microsoft Authenticode(tm) Root Authority">
      <CertRoot Type="Wellknown" Value="03" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_4" Name="Microsoft Root Authority">
      <CertRoot Type="Wellknown" Value="04" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_5" Name="Microsoft Root Certificate Authority">
      <CertRoot Type="Wellknown" Value="05" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_6" Name="Microsoft Root Certificate Authority 2010">
      <CertRoot Type="Wellknown" Value="06" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_7" Name="Microsoft Root Certificate Authority 2011">
      <CertRoot Type="Wellknown" Value="07" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_8" Name="Microsoft Code Verification Root">
      <CertRoot Type="Wellknown" Value="08" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_9" Name="Microsoft Test Root Authority">
      <CertRoot Type="Wellknown" Value="09" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_10" Name="Microsoft Testing Root Certificate Authority 2010">
      <CertRoot Type="Wellknown" Value="0A" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_11" Name="MS Protected Media Test Root">
      <CertRoot Type="Wellknown" Value="0B" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_12" Name="Microsoft Digital Media Authority 2005">
      <CertRoot Type="Wellknown" Value="0C" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_13" Name="Microsoft Digital Media Authority 2005 for preview releases">
      <CertRoot Type="Wellknown" Value="0D" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_14" Name="Microsoft Development Root Certificate Authority 2014">
      <CertRoot Type="Wellknown" Value="0E" />
    </Signer>
    <Signer ID="ID_SIGNER_KNOWNROOT_15" Name="Microsoft Corporation Third Party Marketplace Root">
      <CertRoot Type="Wellknown" Value="0F" />
    </Signer>
  </Signers>
  <SigningScenarios>
    <!-- The numbering of scenarios looks to have been inherited from Secure 
      Boot policies, which provide for very many more (and perhaps can be 
      prepared from this or very similar XML). System Integrity policies, 
      however, are parsed only for scenarios 131 and 12, to mean kernel and 
      user modes respectively. -->
    <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS" FriendlyName="Kernel Mode">
      <ProductSigners>
        <AllowedSigners>
          <!-- Again so that the demonstration can be tested by readers who 
            can't edit the policy, allow all signers, much as does the 
            testsigning BCD option. -->
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_1" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_2" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_3" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_4" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_5" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_6" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_7" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_8" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_9" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_10" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_11" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_12" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_13" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_14" />
          <AllowedSigner SignerId="ID_SIGNER_KNOWNROOT_15" />
        </AllowedSigners>
      </ProductSigners>
    </SigningScenario>
  </SigningScenarios>
  <UpdatePolicySigners />
  <CiSigners />
  <HvciOptions>0</HvciOptions>
  <Settings />
</SiPolicy>

This page was created on 7th July 2018 from material first published on 13th June 2018. It was last modiied on 26th July 2018 (except to complete the XML colour-coding on 4th April 2021).

Copyright © 2018-2021. Geoff Chappell. All rights reserved. Conditions apply.