What's the right way to deploy my signed WDAC policy to my test VM?

[ghost]

I'm using Hyper-V VM, Windows 11 22H2, to test signed WDAC policy, specifically the fact that even administrators can't disable/remove it, so I decided to try it out.

I've already successfully deployed unsigned WDAC policy on my host and it works perfectly. but I'm having trouble getting the signed variation to work.

I've checked out this related question and already tried the solution there which was to use the PolicyID of one of the WDAC policy templates from here in my WDAC policy:

"C:\Windows\schemas\CodeIntegrity\ExamplePolicies"

so I did it, took one of the PolicyIDs from those example XML files and replaced my BasePolicyID and PolicyID with it like this:

<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>

  <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>

after a reboot of the VM, Windows no longer loads.

before using that solution, my VM would reboot at least once, but on the 2nd reboot Windows wouldn't load anymore.

I've made a checkpoint prior to deploying it to my VM so I can go back to previous state in seconds. I'm open to any suggestion. that question was from 3 years ago, I thought maybe things have changed now.

there is almost no information about troubleshooting signed WDAC policy or even deploying it, all I found was copy paste of the text from official Microsoft Docs website.

I don't know how Australia does it but kudos to them.

I don't know whether I should add the .cert file I used to create signed WDAC policy, to the VM's certificate store or not, and if I should, which store? I tried trusted CAs store but didn't work.

here is how I made my signed WDAC policy (before applying the solution from the question I linked):

first I created my code signing certificate:

New-SelfSignedCertificate -DnsName "WDACSigning" -CertStoreLocation Cert:\CurrentUser\My\ -Type Codesigning -KeyLength 2048 -KeyAlgorithm RSA

then exported it to .cert without private keys and to .pfx with private key.

after that, followed the official Microsoft docs guide and did this:

Add-SignerRule -FilePath "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" -CertificatePath "C:\Users\username\OneDrive\Desktop\certificate.cer" -Kernel -User –Update 

 

Set-RuleOption -FilePath "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" -Option 6 –Delete 



$PolicyID= Set-CIPolicyIdInfo -FilePath "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml"  -ResetPolicyID     
$PolicyID = $PolicyID.Substring(11)     
$CIPolicyBin = "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\" + $PolicyID + ".cip"     
ConvertFrom-CIPolicy "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" $CIPolicyBin 

 

cd "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\" 
     
 

.\signtool.exe sign -v /n "test.com" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\{3fc72282-501d-482a-906e-a67b66b8fc42}.cip" 

 

but didn't work as mentioned above.

I did the same procedure in order to try the solution from the linked question, with the exception of not running this part:

$PolicyID= Set-CIPolicyIdInfo -FilePath "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml"  -ResetPolicyID 

$PolicyID = $PolicyID.Substring(11) 

$CIPolicyBin = "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\" + $PolicyID + ".cip" 

ConvertFrom-CIPolicy "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" $CIPolicyBin 

and instead swapping the PolicyID and BasePolicyID manually, and then using this command to create the .cip file:

ConvertFrom-CIPolicy "C:\Users\username\OneDrive\Desktop\Signing test - my WDAC Policy\0 Signed\MERGED.xml" "{A244370E-44C9-4C06-B551-F6016E563076}.cip"

it didn't work either. still the system fails to boot again on the 2nd reboot, as if there is no boot record of the OS.

I need someone to help me out because I ran out of options to try.

[HotCakeX]

Hi,
I've made a wiki post here on GitHub that completely explains all of the steps required, according to Microsoft official guides, to successfully create, sign and deploy a Signed WDAC policy.

https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-and-Deploy-a-Signed-WDAC-Policy-(Windows-Defender-Application-Control)