Merge pull request #10909 from wdormann/public

Clarify EFI partition instructions to indicate that they only apply to signed WDAC policies
2025-05-12 13:27:23 +00:00 · 2022-10-18 11:21:55 -04:00 · 2022-10-18 11:21:55 -04:00 · 78b4c6d449
commit 78b4c6d449
parent 15d25a181e 33a102ed43
1 changed files with 1 additions and 1 deletions
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@ -82,7 +82,7 @@ You should now have one or more WDAC policies converted into binary form. If not

 ## Deploying signed policies

-In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 
+If you are using [signed WDAC policies](windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 

 1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: