FILE: C:\Windows\schemas\CodeIntegrity\cipolicy.xsd

--


  
  
    
      
    
  

  
    
  
  
  
    
  

  
    
  

  
  
    
      
        
          
            
              A Macro element defines a text substitution macro that can be used in other elements.
              Macros are referenced using NMAKE syntax, i.e. $(runtime.windows).
            
          
          
            
              
                
                  Required. The Id for this macro, used in macro references. For example, if the
                  Id for this macro is "runtime.windows", the macro would be referenced as $(runtime.windows).
                
              
            
            
              
                
                  Required. The value that will be substituted for macro references in macro- enabled XML attributes.
                
              
            
          
        
      
    
    
      
      
    
  

  
  
    
      
      
    
  
  
  
  
    
      
      
      
    
  

  
  
    
    
  

  
  
    
      
    
  

  
  
    
      
    
  

  
  
    
      
        AppIDs may use either macros only (and be multi-valued). For example $(Adobe65)$(TestApp)
        ((\$\([a-zA-Z_][a-zA-Z_0-9.]*\))+)
        or they may be a string that does not begin with a $ and be single valued
        (^[^\$]([a-zA-Z0-9\-_!@#%\^\.,;:=\+~`'\{\}\(\)\[\]\$ \\])*)
      
    
    
      
      
    
  
  
  
    
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
    
  

  
  
    
      
      
      
      
    
  
  
  
  
    
      
        
      
      
      
      
    
  
  
  
  
    
      
        Collection of setting elements.
      
    
    
      
        
      
    
  

  
    
      
        
      
    
  

  
      
  
  
  
  
    
      
     
  

    
    
        
        
    
    
    
    
        
            
            
        
    

    
    
        
               
        
    
    
    
    
        
            
        
    

    
    
        
            
        
    
    
    
    
        
            
        
    
    
    
    
        
            
            
            
        
    

    
    
        
            
                 
                 
                 
            
        
    
    
    
    
        
            
                   
                   
                   
            
        
    
    
    
        
            
                
                
                
            
        
    

    
    
        
            
                Define a Signer
            
        
        
            
            
            
            
        
        
        
    
    
    
    
        
            
                Define a Signing Scenario type
            
        
        
            
            
            
        
        
        
    

    
    
        
            
                EKU ID type starts with ID_EKU_
            
        
        
            
            
        
    
    
    
    
        
            
                Signing Scenario ID type starts with ID_SIGNGINGSCENARIO_
            
        
        
            
            
        
    
  
    
    
        
            
                Multiple ID_SIGNINGSCENARIO_ seperated by ','
            
        
        
            
            
        
    

    
    
        
            
                Allow Rule ID should start with ID_ALLOW_
            
        
        
            
        
    

    
    
        
            
                Generic file rule ID should start with ID_FILEATTRIB_
            
        
        
            
            
        
    
  
    
    
        
            
                Deny Rule ID should start with ID_DENY_
            
        
        
            
            
        
    
    

    
    
        
            
                Signer ID should start with ID_SIGNER_
            
        
        
            
            
        
    
    
    
    
        
            
                FileRulesRef is a collection of FileRuleRef
            
        
        
            
                
            
            
            
        
    


    
    
        
            
                Multiple ID_ALLOW_ or ID_DENY_ separated by ','
            
        
        
            
            
        
    
    
    
    
        
            
                Used to reference an file rule through rule ID
            
        
        
            
        
    

    
        
            
                A FileAttribRef is used to reference a FILE_ATTRIB rule through ID
            
        
        
            
        
    
    
    
    
        
            
                ExceptDenyRule rule is a deny rule type. It makes specific allow Signer conditional.
                If the allow Signer rule allows, but the exception condition met, then the result is deny.
            
        
        
            
        
    

    
    
        
            
                ExceptAllowRule rule is an allow rule type. It makes specific deny Signer conditional.
            
        
        
            
        
    

    
  
    
    
        
            
                Collection of EKUs.
            
        
        
            
                
            
        
    
  
    
    
        
            
                Define an EKU
            
        
        
            
            
            
        
    
    
    
    
        
            
                Collection of File Rules.
            
        
        
            
                
                
                
            
        
    
  
    
    
        
            
                Define a file allow rule
            
        
        
            
            
            
            
            
            
            
            
            
            
            
            
        
    
  
    
    
        
            
                Define a File deny rule
            
        
        
            
            
            
            
            
            
            
            
            
            
            
            
        
    
  
    
        
            
                Define a generic file attribute rule than can be combined with Signers
            
        
        
            
            
            
            
            
            
            
            
            
            
            
            
        
    

    
    
        
            
                Colletion of AllowedSigner
            
        
        
            
                
            
            
            
        
    
  
    
    
        
            
                Colletion of DeniedSigner
            
        
        
            
                
            
            
            
        
    

    
    
        
            
                An AllowedSigner defines a signer with condition (with exceptions)
            
        
        
            
                
            
            
        
    
  
    
    
        
            
                An DeniedSgner defines a deny rule
            
        
        
            
                
            
            
        
    
    
    
    
        
            
                defines a signer for System Integrity Policy Updating
            
        
        
            
        
    

    
        
            
              Collection of UpdatePolicySigner.
            
        
        
            
                
            
        
    

  
  
    
      
        defines a signer that CI will trust for CI signing levels.
      
    
    
      
    
  

  
    
      
        Collection of CiSigner.
      
    
    
      
        
      
    
  
    
   
    
        
            
                Collection of signers.
            
        
        
            
                
            
        
    

  
        
            
                A Signer
            
        
        
            
                
                
                
                
                
                
              
            
            
            
         
  


    
        
            
                Collection of SigningScenarios
            
        
        
            
                
            
        
    
    
        
            
                Define a Signing Scenario
            
        
        
            
                
                
                
            
            
            
            
            
            
        
    
  
  
  
    
      
        
        
        
        
          
            
                          
            
          
        
         
         
         
         
         
         
         
         
         
      
      
    
  


--