I have a C# application with all dll signed and it's installer generated with Advanced Installer. Installer is also signed.
I need to configure WDAC Code Integrity feature to make installer work and also application work. With the following steps I get it working in Win 10 22H2 but I'm having problems with Win10 Enterprise 2016 LTSB.
I'm adding two signatures, out company signature and also Caphyon signature because during install the installer creates some temporary files signed with that signature.
#Create base policy
New-CIPolicy -FilePath ".\policysys32.xml" -Level Publisher -Fallback Hash -UserPEs -ScanPath "c:\windows"
New-CIPolicy -FilePath ".\policyprogfiles.xml" -Level Publisher -Fallback Hash -UserPEs -ScanPath "c:\program files" -NoScript
#Merge Policy Files
Merge-CIPolicy -PolicyPaths ".\policysys32.xml", ".\policyprogfiles.xml" -OutputFilePath ".\policyfinal.xml"
#Add SignerRules
Add-SignerRule -FilePath ".\policyfinal.xml" -CertificatePath "CompanyCert" -Kernel -User -Update
Add-SignerRule -FilePath ".\policyfinal.xml" -CertificatePath "CAPHYONCer(AdvancedInstaller)" -Kernel -User -Update
ConvertFrom-CIPolicy ".\policyfinal.xml" ".\DeviceGuardPolicy.bin"
#Policy binary files should be named as SiPolicy.p7b for Windows 10 versions earlier than 1903
$PolicyBinary = "C:\DeviceGuard\DeviceGuardPolicy.bin"
$DestinationBinary = $env:windir+"\System32\CodeIntegrity\SiPolicy.p7b"
Copy-Item -Path $PolicyBinary -Destination $DestinationBinary -Force
The generated policy xml file have the following rules.
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
<Option>Disabled:Script Enforcement</Option>
</Rule>
</Rules>
When I click on exe installer I get a message saying This installation is forbidden by system policy
I have also checked Event Viewer and I didn't see any event related to my installer in the CodeIntegrity section.
One more strange thing is that I have try to run Sublime Text installer with this policy enabled and it run (because the policy is in audit mode) but I can see in event viewer events saying that the installer did not meet the policy requirements. But running our company software installer I cannot see anything in the event Viewer about saying that the installer did not meet the policy. I can only see this event in the Application section with MsiInstaller source.
Of course the installer works without problems in the same Windows VM with Policy disabled.
The description for Event ID 1044 from source MsiInstaller cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event: C:\Users\User\AppData\Roaming\Company\installer\install\installer_setup.msi
(NULL) (NULL) (NULL) (NULL) (NULL) the message resource is present but the message is not found in the string/message table
What is the difference between the two Windows versions that is making the installer blocked by System Policy?