Open
Description
If attempting to create a new rule for a specific file in a folder (say one specific binary out of C:\Windows\system32, my specific use case) there is no ready way to inform New-CIPolicyRule that the -DriverFiles argument that will accept a list of raw file names, or a single raw file name needs to have the UserMode flag set.
For example:
New-CiPolicyRule -DriverFiles $createdFromDriverScan[1] -Level Publisher -Fallback Hash
will have UserMode set to true.
The exact same file if passed directly to New-CIPolicyRule:
New-CiPolicyRule -DriverFiles "C:\Temp\helloWorld.ps1" -Level Publisher -Fallback Hash
will have UserMode set to false, with no way to edit it.
I also looked into initializing a custom Microsoft.SecureBoot.UserConfig.DriverFile object so I could set this parameter myself, but there isn't an obvious way to do this.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: bd2d20e9-996d-98cc-1866-261ca4d51f46
- Version Independent ID: e971f828-e670-0108-f95a-7ae602b4ad94
- Content: New-CIPolicyRule (ConfigCI)
- Content Source: docset/winserver2022-ps/configci/New-CIPolicyRule.md
- Product: w10
- Technology: windows
- GitHub Login: @JasonGerend
- Microsoft Alias: jgerend