Process mitigation - signature policy

Hi,

Is anyone familiar with this policy?
https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_mitigation_binary_signature_policy

Specifically, I’m trying to understand the meaning of MitigationOptIn
Does having it ‘on’ means:

  1. An image must be signed by Microsoft AND the store AND WHQL (all of them together) in order to be loaded by the process
  2. An image must be signed by at least one of the following: { Microsoft ,store, WHQL } in order to be loaded by the process

I tend to believe it’s (2), but the documentation is not clear to me. I’ve tried to look into ci.dll but it requires some digging.

Thanks!

It’s ambiguous.

File a doc bug right from that page asking for clarification. In my experience, the doc writers are happy, sometimes even eager, to clear-up stuff like this.

Peter