Convert SIPolicy.p7b back to XML? How do I know if Rule 3 (Audit Mode) is in SIPolicy.p7b? [Windows Defender Application Control] [SIPolicy]

Question

I have been struggling with a problem for a while now... Basically, I am creating a PowerShell GUI that will allow admins in my organization to deploy Windows Defender Application Control (WDAC) policies through PowerShell with a user-friendly interface.

My boss requested that I put in a status label that shows whether a policy is currently in Audit Mode, Enforce Mode, or Disabled (does not exist). The disabled part I've got figured out, but I was wondering how I could take an existing SIPolicy.p7b file and check for Rule Option 3 (Audit Mode)?

I originally wanted to see if it was possible to convert the SIPolicy binary back to XML, but I'm afraid that's a lost cause.

My second idea was to create temporary dupes of SIPolicy from the original XML file, one with enforce mode, one with audit mode, and compare file hashes, but that requires the user to select the XML file initially or for the XML file path to be hardcoded in the script and I would strongly like to avoid that.

If anyone is familiar with WDAC, binary files, PowerShell, etc. and is able to help out with a solution or just some clarifying guidance, I would really appreciate it.

Sorry if this post isn't done very well, I've never posted on stack before haha!

Thank you!

Answer 1

I've have lots of resources about WDAC, binary files and PowerShell, You can find them on my GitHub:

https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction

• Introduction
• WDACConfig
• WDAC for Lightly Managed Devices
• WDAC for Fully Managed Devices
• WDAC for Fully Managed Devices (2nd variant)
• WDAC Notes
• How to Create and Deploy a Signed WDAC Policy

There is also a module called WDACConfig

• GitHub
• PowerShell gallery

AFAIK, there is no way to get the XML file from the binary file, whether it's .cip or .p7b.

On Windows 11 it's recommended to only use cip files, convert policies to multiple policy format and the output will be .cip.

Use CITool for deployment, no reboot required.

CITool can also list/update/remove/refresh policies among other things.

When you list deployed policies with CITool on Windows 11 22H2, it gives you information about policyID, BasepolicyID etc.

on Windows 11 insider channels, the CITool gives you exactly the information you are looking for. It shows you which policy rule options are included in each deployed policy, whether or not the policy is signed and more! Hopefully the updates and new features will make it to the stable channel soon.

Btw, feel free to take anything you need from the module and incorporate it into the PowerShell GUI that you are making :)

There is another way to find out which policy is in Audit mode, Check the logs in Event Viewer: Microsoft-Windows-CodeIntegrity/Operational ID = 3076. Whenever a policy is deployed in Audit mode and you run a program not allowed by it, there will be a new log entry created for it containing information about the file as well as the policy that generated it.