Merge pull request #10079 from MaratMussabekov/patch-293

Update deploy-wdac-policies-with-script.md
2025-05-13 05:47:23 +00:00 · 2021-11-10 08:41:43 -08:00 · 2021-11-10 08:41:43 -08:00 · 2b103cbefc
commit 2b103cbefc
parent e0c3ccb204 4b6794ec3e
1 changed files with 25 additions and 19 deletions
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@ -10,7 +10,7 @@ ms.reviewer: jogeurte
 ms.author: jogeurte
 ms.manager: jsuther
 manager: dansimp
-ms.date: 04/14/2021
+ms.date: 11/06/2021
 ms.technology: windows-sec
 ms.topic: article
 ms.localizationpriority: medium
@ -32,7 +32,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
 > [!NOTE]
 > To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
-## Script-based deployment process for Windows 10 version 1903 and above
+## Deploying policies for Windows 10 version 1903 and above
 1. Initialize the variables to be used by the script.
@ -56,23 +56,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
   & $RefreshPolicyTool
   ```
-### Deploying signed policies
+## Deploying policies for Windows 10 versions earlier than 1903
 In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 
 1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: 
    ```powershell
    mountvol J: /S
    J:
    mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active
    ```
 2. Copy the signed policy binary as `{PolicyGUID}.cip` to `J:\EFI\Microsoft\Boot\CiPolicies\Active`.
 3. Reboot the system.
 ## Script-based deployment process for Windows 10 versions earlier than 1903
 1. Initialize the variables to be used by the script.
@ -93,3 +77,25 @@ In addition to the steps outlined above, the binary policy file must also be cop
   ```powershell
   Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary}
   ```
 ## Deploying signed policies
 In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 
 1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: 
    ```powershell
   $MountPoint = 'C:\EFI'
   $EFIDestinationFolder = "$MountPoint\Microsoft\Boot\CiPolicies\Active"
   $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
   mkdir $EFIDestinationFolder
   mountvol $MountPoint $EFIPartition
    ```
 2. Copy the signed policy to the created folder:
    ```powershell
   Copy-Item -Path $PolicyBinary -Destination $EFIDestinationFolder -Force
    ```
 3. Restart the system.