The CIP policy version is '10' while AppControl Manager only supports up to version '9'. Not all policy's features could be decoded.

[grimson73]

Hi, just started with App Control and tried using the Application Control 'built-in controls' policy settings.

On the endpoint I installed this great app to monitor what happens but it seems like AppControl Manager doesnt like the Microsoft provided Policies(?).

System information -> Retrieve Policies;

Policy ID: : e0abda1f-ccf0-468e-8855-3e0f08b02d6a
Base Policy ID: : The CIP policy version is '10' while AppControl Manager only supports up to version '9'. Not all policy's features could be decoded.
Friendly Name: : Built-in controls - Trust apps with good reputation - On
Version: : 10.2.0.0
Version: : 10.2.0.0
Is System Policy: : False
Is Signed Policy: : False
Is On Disk: : True
Is Enforced: : True
Is Authorized: : True
Policy Options: : Enabled:Intelligent Security Graph Authorization, Enabled:Inherit Default Policy, Enabled:Unsigned System Integrity Policy
--------------------------------------------------

I see the policy is downloaded and stored in C:\Windows\System32\CodeIntegrity\CIPolicies\Active{e0abda1f-ccf0-468e-8855-3e0f08b02d6a}.CIP but I can't open this policy with the Editor.

{e0abda1f-ccf0-468e-8855-3e0f08b02d6a}.zip

https://github.com/Harvester57/Code-Integrity-example-policies-Insider/blob/main/DefaultWindows_Audit.xml
Based on the GUID this seems to be the policy, I can however open this XML but not the CIP. (if they are indeed the same policy)

[HotCakeX]

Hi,
They are not the same policy, if they were you wouldn't be getting that error. What you're trying to do is reversing a CIP binary file deployed by Microsoft back to XML. Microsoft must be using additional items in the policy they deploy. I will have to add the necessary logic to decode them as well.

The CIP file you shared is helpful though, thank you!

I just warped up v2.0.62.0: #1024, so i'll add the necessary logic to the update after this, v2.0.63.0

[HotCakeX]

You can now update the AppControl Manager to the latest version and convert all CIPs back to XML, included in version 2.0.62.0: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/AppControlManager-v2.0.62.0

[grimson73]

Hi again, thanks for taking the time to look into this subject.
I did some testing and made a second policy with the Policy creation type: Built-in controls.
This time with enabling all 3 options.

Preliminary findings:

• Policy conflict -> I guess when using 'Built-in controls' the same GUID is used for the policy, but this isn't well documented. So applying multiple policies based on a device with the 'built-in controls' then no policy will apply because of conflict.
• Built-in controls seems to be a supplemental policy but have to research this more if this is true. (At least they don't work 'standalone')

I attached another CIP file coming from the built-in controls with all 3 options enabled, same GUID as the previous one.
Built-in controls - All Enabled.zip

So decoding this Microsoft built-in controls CIP would help in understanding whats happening, again thanks for the support. Not entitled to anything but instead graceful for all the time developers take to help out the community who benefit eventually of their time and input.

[HotCakeX]

You're very welcome, i'm glad i can help!

You can decode everything now after updating the app. Multiple policies are supported and this document goes over their rules.

When using Audit mode, nothing gets blocked, only logs are generated. Also try choosing only one between Managed Installer and Intelligent Security Graph.

I personally recommend using AppControl Manager to create and deploy policies to Intune instead of using the portal because the app offers full control.

[grimson73]

Thanks for the follow-up and advice and well such a quick response (which of course you aren't obliged to and not expecting this). Just starting with Application Control (earlier days AppLocker on RDS servers) but it seems really a must have part of the zero trust 'stack' today on modern workplaces. Will deep dive in the docs and found my rabbit hole :)

[HotCakeX]

@grimson73 My pleasure!
Yeah i also think it's a must have. Blacklisting just isn't enough nor practical, whitelisting is the much better and secure strategy so we don't have to chase malware constantly. Please feel free to open new issues for any features that you'd like to see in the AppControl Manager that's not already there ^^